Thread: Hey... Fixing Some Computers....
View Single Post
  #1  
Old 02-11-2008, 02:36 AM
Raistlfiren's Avatar
Raistlfiren Raistlfiren is offline
Moderator
  
Join Date: Sep 2004
Location: 127.0.0.1
Posts: 427
Hey... Fixing Some Computers....
Hey Mobo,

I was working on two friends pcs that was filled with spyware and other crap. Anyway, I saw that is was the trojan - trojandownloader.xs. So I googled it and ran several different tests and programs. After rebooting the two pcs in safe mode I ran HiJack This, ComboFix, SDFix, and Spybot S&D. Which SDFix and ComboFix seem to work on the pcs and they seem to be running a lot bit smoother then when I got them. They actually run, which is kind of scary. By the way I am right now running a live virus scan from Kapersky. Then I told them to come back tomorrow with their pcs, too see if anything suspicious lures with the virus scan. Thanks for any help bro. I truely do appreciate it.

Anyway I was hoping you would take a look at these log files from the scans.
Here is one of the scans from the pc I will call DELL(Next will be of the COMPAQ) ->

HiJackThis Report :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:20 AM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\**jddnvj.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\**jddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Gamburg provider - {6607E676-1BDE-4cb3-9913-4DC5EBCAE35E} - unifff.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {C866FA6B-F9EF-4876-A0F3-EA9FE5EA225D} - C:\WINDOWS\assembly\NativeImages1_v1.0.3705\Custom Marshalers\dobcpa.dll (file missing)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1202591687.dll (file missing)
O2 - BHO: (no name) - {fb612e5e-1dd1-11b2-9835-bdb57d8756c5} - C:\WINDOWS\uvevodkr.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [MP***e] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKLM\..\Run: [ozihglir] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ozihglir.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\DOCUME~1\KARILY~1\LOCALS~1\Temp\452c4a4hpc4a4a. exe
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [SpyAway] C:\Program Files\SpyAway\spyaway.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7390] command /c del "C:\Program Files\BearShare\Logs\hosts-state.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1316] cmd /c del "C:\Program Files\BearShare\Logs\hosts-state.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9642] command /c del "C:\Program Files\BearShare\Logs\memory.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3490] cmd /c del "C:\Program Files\BearShare\Logs\memory.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3541] command /c del "C:\Program Files\BearShare\Logs\ordinal.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6324] cmd /c del "C:\Program Files\BearShare\Logs\ordinal.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3729] command /c del "C:\Program Files\BearShare\Logs\streams.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9514] cmd /c del "C:\Program Files\BearShare\Logs\streams.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3271] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5844] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5711] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6765] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6001] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC27] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA111] command /c del "C:\Program Files\whInstall\readme.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4114] cmd /c del "C:\Program Files\whInstall\readme.txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2665] command /c del "C:\Program Files\whInstall\whAgent.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8561] cmd /c del "C:\Program Files\whInstall\whAgent.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingB1853] command /c del "C:\Program Files\BearShare\Logs\hosts-state.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8384] cmd /c del "C:\Program Files\BearShare\Logs\hosts-state.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6183] command /c del "C:\Program Files\BearShare\Logs\memory.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2763] cmd /c del "C:\Program Files\BearShare\Logs\memory.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB912] command /c del "C:\Program Files\BearShare\Logs\ordinal.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD524] cmd /c del "C:\Program Files\BearShare\Logs\ordinal.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB159] command /c del "C:\Program Files\BearShare\Logs\streams.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3293] cmd /c del "C:\Program Files\BearShare\Logs\streams.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1871] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7643] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB598] command /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4484] cmd /c del "C:\Program Files\webHancer\Programs\sporder.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7795] command /c del "C:\Program Files\webHancer\Programs\readme.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9830] cmd /c del "C:\Program Files\webHancer\Programs\readme.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1287] command /c del "C:\Program Files\whInstall\readme.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8017] cmd /c del "C:\Program Files\whInstall\readme.txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4621] command /c del "C:\Program Files\whInstall\whAgent.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3929] cmd /c del "C:\Program Files\whInstall\whAgent.ini"
O4 - HKLM\..\Policies\Explorer\Run: [xwivi77V5G] rundll32.exe "C:\WINDOWS\apshghwb.dll",DllCleanServer
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - Winlogon Notify: dobcpa - C:\WINDOWS\assembly\NativeImages1_v1.0.3705\Custom Marshalers\dobcpa.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 16102 bytes

ComboFix Report :
ComboFix 08-02.11.1 - Kari Lynne 2008-02-11 0:21:13.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.325 [GMT -6:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\ozihglir.dll
C:\Documents and Settings\Kari Lynne\Application Data\searchtoolbarcorp
C:\Documents and Settings\Kari Lynne\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Kari Lynne\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\Kari Lynne\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Kari Lynne\Application Data\WinAntiVirus Pro 2006\Logs\incmp.log
C:\Documents and Settings\Kari Lynne\Application Data\WinAntiVirus Pro 2006\Logs\update.log
C:\Documents and Settings\Kari Lynne\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\Documents and Settings\Kari Lynne\Application Data\WinAntiVirus Pro 2006\Logs\winav.log
C:\Documents and Settings\Kari Lynne\Start Menu\Programs\Startup\.protected
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\vsadd-in
C:\Program Files\vsadd-in\VSAdd-in.dll
C:\Program Files\WhenUSearch
C:\Program Files\WhenUSearch\search.dll
C:\Program Files\winantivirus pro 2006
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hot****.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\xwivi77V5Gwp.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\uvevodkr.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK


((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 00:25 . 2008-02-11 00:31 <DIR> d-------- C:\WINDOWS\system32\acespy
2008-02-11 00:25 . 2008-02-11 00:31 <DIR> d-------- C:\Program Files\p2pnetworks
2008-02-11 00:25 . 2008-02-11 00:31 <DIR> d-------- C:\Program Files\e-zshopper
2008-02-11 00:25 . 2008-02-11 00:31 <DIR> d-------- C:\Program Files\amsys
2008-02-11 00:25 . 2008-02-11 00:31 <DIR> d-------- C:\Program Files\akl
2008-02-11 00:25 . 2008-02-11 00:30 <DIR> d-------- C:\Program Files\Accoona
2008-02-11 00:24 . 2008-02-11 00:30 <DIR> d-------- C:\Program Files\3721
2008-02-10 23:01 . 2008-02-10 23:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-10 23:01 . 2008-02-10 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 14:33 . 2008-02-10 22:51 <DIR> d-------- C:\Program Files\SpyAway
2008-02-10 11:36 . 2008-02-10 11:36 4,960 --a------ C:\WINDOWS\system32\Se0zkN.syz
2008-02-09 19:18 . 2008-02-09 19:18 3,795,158 --a------ C:\WINDOWS\xwivi77V5G.exe
2008-02-09 19:17 . 2008-02-09 19:17 91,667 --a------ C:\WINDOWS\ytgtedih.exe
2008-02-09 19:17 . 2008-02-09 19:17 91,667 --a------ C:\WINDOWS\system32\**jddnvj.exe
2008-02-09 19:17 . 2008-02-10 19:18 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-02-09 16:02 . 2008-02-09 16:02 10,752 --a------ C:\WINDOWS\system32\worsock.dll
2008-02-09 16:02 . 2008-02-09 16:02 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-09 16:02 . 2008-02-09 16:02 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-09 16:02 . 2008-02-09 16:02 1 --a------ C:\WINDOWS\system32\cs.dat
2008-02-09 15:16 . 2008-02-09 15:16 <DIR> d-------- C:\WINDOWS\gtvuckjt
2008-02-09 15:16 . 2008-02-09 15:16 177,152 --a------ C:\WINDOWS\apshghwb.dll
2008-02-09 15:14 . 2008-02-09 15:14 54,272 --a------ C:\WINDOWS\system32\unifff.dll
2008-02-09 15:14 . 2008-02-09 15:14 2 --a------ C:\2096316284
2008-02-08 21:41 . 2008-02-08 21:41 876,032 -r-hs---- C:\WINDOWS\wkssvc.exe
2008-02-04 23:52 . 2008-02-04 23:52 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-04 23:51 . 2008-02-04 23:51 <DIR> d-------- C:\Program Files\MSBuild
2008-02-04 23:46 . 2008-02-04 23:46 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-04 23:26 . 2008-02-04 23:26 <DIR> dr-h----- C:\MSOCache
2008-01-27 21:21 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-01-27 21:21 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-01-13 18:11 . 2008-01-13 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-11 06:26 31,744 ----a-w C:\WINDOWS\liqad.exe
2008-02-11 06:26 31,744 ----a-w C:\WINDOWS\fhfmm.exe
2008-02-11 06:26 31,232 ----a-w C:\WINDOWS\kvnab.dll
2008-02-11 06:26 30,464 ----a-w C:\WINDOWS\liqui-Uninstaller.exe
2008-02-11 06:26 28,928 ----a-w C:\WINDOWS\xadbrk.dll
2008-02-11 06:26 28,928 ----a-w C:\WINDOWS\pbsysie.dll
2008-02-11 06:26 28,928 ----a-w C:\WINDOWS\eventlowg.dll
2008-02-11 06:26 28,672 ----a-w C:\WINDOWS\liqad$.exe
2008-02-11 06:26 27,904 ----a-w C:\WINDOWS\xadbrk.exe
2008-02-11 06:26 27,136 ----a-w C:\WINDOWS\kvnab.exe
2008-02-11 06:26 23,552 ----a-w C:\WINDOWS\liqad.dll
2008-02-11 06:26 20,992 ----a-w C:\WINDOWS\liqui.exe
2008-02-11 06:26 19,968 ----a-w C:\WINDOWS\daxtime.dll
2008-02-11 06:26 19,712 ----a-w C:\WINDOWS\kkcomp$.exe
2008-02-11 06:26 19,200 ----a-w C:\WINDOWS\settn.dll
2008-02-11 06:26 17,408 ----a-w C:\WINDOWS\liqui.dll
2008-02-11 06:26 16,640 ----a-w C:\WINDOWS\fhfmm-Uninstaller.exe
2008-02-11 06:26 14,848 ----a-w C:\WINDOWS\xadbrk_.exe
2008-02-11 06:26 14,080 ----a-w C:\WINDOWS\cbinst$.exe
2008-02-11 06:26 13,568 ----a-w C:\WINDOWS\kkcomp.dll
2008-02-11 06:26 11,520 ----a-w C:\WINDOWS\kkcomp.exe
2008-02-11 06:26 11,520 ----a-w C:\WINDOWS\hcwprn.exe
2008-02-11 06:26 10,496 ----a-w C:\WINDOWS\kvnab$.exe
2008-02-11 06:25 31,488 ----a-w C:\WINDOWS\vxddsk.exe
2008-02-11 06:25 30,976 ----a-w C:\WINDOWS\hot****.exe
2008-02-11 06:25 29,696 ----a-w C:\WINDOWS\dp0.dll
2008-02-11 06:25 28,672 ----a-w C:\WINDOWS\wbeCheck.exe
2008-02-11 06:25 28,416 ----a-w C:\WINDOWS\adbar.dll
2008-02-11 06:25 27,392 ----a-w C:\WINDOWS\jd2002.dll
2008-02-11 06:25 23,808 ----a-w C:\WINDOWS\ngd.dll
2008-02-11 06:25 20,480 ----a-w C:\WINDOWS\aconti.exe
2008-02-11 06:25 19,200 ----a-w C:\WINDOWS\iexplorr23.dll
2008-02-11 06:25 15,872 ----a-w C:\WINDOWS\spredirect.dll
2008-02-11 06:25 15,104 ----a-w C:\WINDOWS\wbeInst$.exe
2008-02-11 06:25 12,800 ----a-w C:\WINDOWS\xxxvideo.exe
2008-02-11 06:25 12,800 ----a-w C:\WINDOWS\ie_32.exe
2008-02-11 06:24 27,904 ----a-w C:\WINDOWS\7search.dll
2008-02-11 06:24 26,368 ----a-w C:\WINDOWS\764.exe
2008-02-11 06:24 22,784 ----a-w C:\WINDOWS\wml.exe
2008-02-11 06:24 13,312 ----a-w C:\WINDOWS\flt.dll
2008-02-11 06:24 10,496 ----a-w C:\WINDOWS\pbar.dll
2008-02-11 06:03 --------- d-----w C:\Program Files\WinFixerFree
2008-02-11 06:03 --------- d-----w C:\Program Files\BearShare
2008-02-11 03:59 --------- d-----w C:\Program Files\Dell
2008-02-11 03:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 03:56 --------- d-----w C:\Program Files\CyberLink
2008-02-11 03:55 --------- d-----w C:\Program Files\Sonic
2008-02-11 03:54 --------- d-----w C:\Program Files\Save
2008-02-10 19:45 --------- d-----w C:\Program Files\AIM
2008-02-10 19:45 --------- d-----w C:\Documents and Settings\Kari Lynne\Application Data\Aim
2008-02-05 06:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-11 21:39 --------- d-----w C:\Documents and Settings\Kari Lynne\Application Data\AdobeUM
2006-11-21 02:45 937,155 --sh--w C:\WINDOWS\assembly\NativeImages1_v1.0.3705\Custom Marshalers\apcbod.bak1
2006-11-13 07:27 104 --sh--w C:\WINDOWS\Config\cacsmvc.dll
2006-11-13 16:55 104 --sh--w C:\WINDOWS\Config\wvsr.dll
2006-11-17 16:40 104 --sh--w C:\WINDOWS\Cursors\pipa.dll
2006-11-17 17:02 104 --sh--w C:\WINDOWS\msagent\tuilsmvc.dll
2006-11-14 16:56 104 --sh--w C:\WINDOWS\Registration\vddawve.dll
2006-11-16 05:07 104 --sh--w C:\WINDOWS\system\bdrul.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6607E676-1BDE-4cb3-9913-4DC5EBCAE35E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C866FA6B-F9EF-4876-A0F3-EA9FE5EA225D}]
C:\WINDOWS\assembly\NativeImages1_v1.0.3705\Custom Marshalers\dobcpa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}]
C:\Program Files\Helper\1202591687.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"Win_Fixer_Free"="C:\Program Files\WinFixerFree\UWinFX6.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-05-24 15:14 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 09:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 15:46 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33 155648]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 23:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 23:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 23:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 01:48 36975]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-09-01 17:24 684032]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-06 00:54 98304]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44 81920]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdl r.exe" [2005-07-08 18:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2005-09-22 18:29 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupda te.exe" [2006-01-11 12:05 212992]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKD etct.exe" [2006-11-07 13:49 1121280]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgen t.exe" [2005-09-26 10:26 110592]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray. exe" [2005-11-11 17:00 1005096]
"DellHelp"="C:\Dell\DellHelp\DellHelp.exe" [2004-04-01 15:51 1589248]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [ ]
"MP***e"="c:\PROGRA~1\mcafee.com\mps\mscifapp. exe" [2006-03-30 12:31 296488]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-09 16:32 185632]
"Windows Console"="wkssvc.exe" [2008-02-08 21:41 876032 C:\WINDOWS\wkssvc.exe]
"WMDM PMSP Service"="C:\WINDOWS\system32\cssrss.exe" [ ]
"SpyAway"="C:\Program Files\SpyAway\spyaway.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"SpybotDeletingA7390"="command /c del C:\Program Files\BearShare\Logs\hosts-state.txt" [ ]
"SpybotDeletingC1316"="cmd /c del C:\Program Files\BearShare\Logs\hosts-state.txt" [ ]
"SpybotDeletingA9642"="command /c del C:\Program Files\BearShare\Logs\memory.txt" [ ]
"SpybotDeletingC3490"="cmd /c del C:\Program Files\BearShare\Logs\memory.txt" [ ]
"SpybotDeletingA3541"="command /c del C:\Program Files\BearShare\Logs\ordinal.txt" [ ]
"SpybotDeletingC6324"="cmd /c del C:\Program Files\BearShare\Logs\ordinal.txt" [ ]
"SpybotDeletingA3729"="command /c del C:\Program Files\BearShare\Logs\streams.txt" [ ]
"SpybotDeletingC9514"="cmd /c del C:\Program Files\BearShare\Logs\streams.txt" [ ]
"SpybotDeletingA3271"="command /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingC5844"="cmd /c del C:\WINDOWS\wt\webdriver.dll" [ ]
"SpybotDeletingA5711"="command /c del C:\Program Files\webHancer\Programs\sporder.dll" [ ]
"SpybotDeletingC6765"="cmd /c del C:\Program Files\webHancer\Programs\sporder.dll" [ ]
"SpybotDeletingA6001"="command /c del C:\Program Files\webHancer\Programs\readme.txt" [ ]
"SpybotDeletingC27"="cmd /c del C:\Program Files\webHancer\Programs\readme.txt" [ ]
"SpybotDeletingA111"="command /c del C:\Program Files\whInstall\readme.txt" [ ]
"SpybotDeletingC4114"="cmd /c del C:\Program Files\whInstall\readme.txt" [ ]
"SpybotDeletingA2665"="command /c del C:\Program Files\whInstall\whAgent.ini" [ ]
"SpybotDeletingC8561"="cmd /c del C:\Program Files\whInstall\whAgent.ini" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-06 00:40:49 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-09-04 16:36:00 315392]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\run]
"xwivi77V5G"= rundll32.exe "C:\WINDOWS\apshghwb.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dobcpa]
C:\WINDOWS\assembly\NativeImages1_v1.0.3705\Custom Marshalers\dobcpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

S2 asc3550o;asc3550o;C:\WINDOWS\system32\drivers\asc3 550o.sys [2004-08-10 05:00]
S2 DP1112;DP1112;C:\WINDOWS\system32\Drivers\DP.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 04:40:02 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (KARI-Kari Lynne).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 00:31:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\wml.exe 17664 bytes
C:\WINDOWS\xadbrk.dll 13824 bytes
C:\WINDOWS\xadbrk.exe 12544 bytes
C:\WINDOWS\xadbrk_.exe 15872 bytes
C:\WINDOWS\xxxvideo.exe 29184 bytes
C:\WINDOWS\kkcomp$.exe 11520 bytes
C:\WINDOWS\kkcomp.dll 21248 bytes
C:\WINDOWS\kkcomp.exe 32768 bytes
C:\WINDOWS\kvnab$.exe 32256 bytes
C:\WINDOWS\kvnab.dll 19200 bytes
C:\WINDOWS\kvnab.exe 12032 bytes
C:\WINDOWS\liqad$.exe 24832 bytes
C:\WINDOWS\liqad.dll 23552 bytes
C:\WINDOWS\liqad.exe 10752 bytes
C:\WINDOWS\liqui-Uninstaller.exe 32256 bytes
C:\WINDOWS\liqui.dll 14080 bytes
C:\WINDOWS\liqui.exe 10240 bytes
C:\WINDOWS\764.exe 8704 bytes
C:\WINDOWS\7search.dll 30464 bytes
C:\WINDOWS\absolute key logger.lnk 21760 bytes
C:\WINDOWS\aconti.exe 15872 bytes
C:\WINDOWS\aconti.ini 18688 bytes
C:\WINDOWS\aconti.log 16128 bytes
C:\WINDOWS\aconti.sdb 11776 bytes
C:\WINDOWS\acontidialer.txt 25600 bytes
C:\WINDOWS\adbar.dll 25856 bytes
C:\WINDOWS\cbinst$.exe 13056 bytes
C:\WINDOWS\pbar.dll 28672 bytes
C:\WINDOWS\pbsysie.dll 21504 bytes
C:\WINDOWS\dp0.dll 16896 bytes
C:\WINDOWS\eventlowg.dll 21248 bytes

scan completed successfully
hidden files: 31

************************************************** ************************
.
Completion time: 2008-02-11 0:34:52
ComboFix-quarantined-files.txt 2008-02-11 06:34:46
.
2008-01-14 09:09:06 --- E O F ---

SDFIX - After Reboot :

SDFix: Version 1.141

Run by Kari Lynne on Mon 02/11/2008 at 12:38 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DP1112

Path:
\??\C:\WINDOWS\system32\Drivers\DP.sys

DP1112 - Deleted

Killing PID 808 '**jddnvj.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting...

Service asc3550o - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\209631~1 - Deleted
C:\WINDOWS\gtvuckjt\1.png - Deleted
C:\WINDOWS\gtvuckjt\2.png - Deleted
C:\WINDOWS\gtvuckjt\3.png - Deleted
C:\WINDOWS\gtvuckjt\4.png - Deleted
C:\WINDOWS\gtvuckjt\5.png - Deleted
C:\WINDOWS\gtvuckjt\6.png - Deleted
C:\WINDOWS\gtvuckjt\7.png - Deleted
C:\WINDOWS\gtvuckjt\8.png - Deleted
C:\WINDOWS\gtvuckjt\9.png - Deleted
C:\WINDOWS\gtvuckjt\bottom-rc.gif - Deleted
C:\WINDOWS\gtvuckjt\config.png - Deleted
C:\WINDOWS\gtvuckjt\content.png - Deleted
C:\WINDOWS\gtvuckjt\download.gif - Deleted
C:\WINDOWS\gtvuckjt\frame-bg.gif - Deleted
C:\WINDOWS\gtvuckjt\frame-bottom-left.gif - Deleted
C:\WINDOWS\gtvuckjt\frame-h1bg.gif - Deleted
C:\WINDOWS\gtvuckjt\head.png - Deleted
C:\WINDOWS\gtvuckjt\icon.png - Deleted
C:\WINDOWS\gtvuckjt\indexwp.html - Deleted
C:\WINDOWS\gtvuckjt\main.css - Deleted
C:\WINDOWS\gtvuckjt\memory-prots.png - Deleted
C:\WINDOWS\gtvuckjt\net.png - Deleted
C:\WINDOWS\gtvuckjt\pc.gif - Deleted
C:\WINDOWS\gtvuckjt\pc-mag.gif - Deleted
C:\WINDOWS\gtvuckjt\poloska1.png - Deleted
C:\WINDOWS\gtvuckjt\poloska2.png - Deleted
C:\WINDOWS\gtvuckjt\poloska3.png - Deleted
C:\WINDOWS\gtvuckjt\promowp1.html - Deleted
C:\WINDOWS\gtvuckjt\promowp2.html - Deleted
C:\WINDOWS\gtvuckjt\promowp3.html - Deleted
C:\WINDOWS\gtvuckjt\promowp4.html - Deleted
C:\WINDOWS\gtvuckjt\promowp5.html - Deleted
C:\WINDOWS\gtvuckjt\reg.png - Deleted
C:\WINDOWS\gtvuckjt\repair.png - Deleted
C:\WINDOWS\gtvuckjt\scr-1.png - Deleted
C:\WINDOWS\gtvuckjt\scr-2.png - Deleted
C:\WINDOWS\gtvuckjt\start.png - Deleted
C:\WINDOWS\gtvuckjt\styles.css - Deleted
C:\WINDOWS\gtvuckjt\top-rc.gif - Deleted
C:\WINDOWS\gtvuckjt\vline.gif - Deleted
C:\WINDOWS\gtvuckjt\wp.png - Deleted
C:\WINDOWS\system32\acespy\systune.exe - Deleted
C:\WINDOWS\system32\acespy\__acelog.ndx - Deleted
C:\Program Files\3721\helper.dll - Deleted
C:\Program Files\3721\assist\asbar.dll - Deleted
C:\Program Files\Accoona\ASearchAssist.dll - Deleted
C:\Program Files\akl\akl.dll - Deleted
C:\Program Files\akl\akl.exe - Deleted
C:\Program Files\akl\curlog.htm - Deleted
C:\Program Files\akl\keylog.txt - Deleted
C:\Program Files\akl\readme.txt - Deleted
C:\Program Files\akl\uninstall.exe - Deleted
C:\Program Files\akl\unsetup.dat - Deleted
C:\Program Files\akl\unsetup.exe - Deleted
C:\Program Files\amsys\awmsg.dat - Deleted
C:\Program Files\amsys\guid.dat - Deleted
C:\Program Files\amsys\ijl15.dll - Deleted
C:\Program Files\amsys\mfc42.dll - Deleted
C:\Program Files\amsys\msvcrt.dll - Deleted
C:\Program Files\amsys\unins000.dat - Deleted
C:\Program Files\amsys\unis000.exe - Deleted
C:\Program Files\amsys\winam.dat - Deleted
C:\Program Files\e-zshopper\BarLcher.dll - Deleted
C:\Program Files\p2pnetworks\amp2pl.exe - Deleted
C:\WINDOWS\764.exe - Deleted
C:\WINDOWS\7search.dll - Deleted
C:\WINDOWS\absolute key logger.lnk - Deleted
C:\WINDOWS\aconti.exe - Deleted
C:\WINDOWS\aconti.ini - Deleted
C:\WINDOWS\aconti.log - Deleted
C:\WINDOWS\aconti.sdb - Deleted
C:\WINDOWS\acontidialer.txt - Deleted
C:\WINDOWS\adbar.dll - Deleted
C:\WINDOWS\cbinst$.exe - Deleted
C:\WINDOWS\daxtime.dll - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\dp0.dll - Deleted
C:\WINDOWS\eventlowg.dll - Deleted
C:\WINDOWS\fhfmm.exe - Deleted
C:\WINDOWS\fhfmm-Uninstaller.exe - Deleted
C:\WINDOWS\flt.dll - Deleted
C:\WINDOWS\hcwprn.exe - Deleted
C:\WINDOWS\hot****.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\iexplorr23.dll - Deleted
C:\WINDOWS\jd2002.dll - Deleted
C:\WINDOWS\kkcomp$.exe - Deleted
C:\WINDOWS\kkcomp.dll - Deleted
C:\WINDOWS\kkcomp.exe - Deleted
C:\WINDOWS\kvnab$.exe - Deleted
C:\WINDOWS\kvnab.dll - Deleted
C:\WINDOWS\kvnab.exe - Deleted
C:\WINDOWS\liqad$.exe - Deleted
C:\WINDOWS\liqad.dll - Deleted
C:\WINDOWS\liqad.exe - Deleted
C:\WINDOWS\liqui.dll - Deleted
C:\WINDOWS\liqui.exe - Deleted
C:\WINDOWS\liqui-Uninstaller.exe - Deleted
C:\WINDOWS\ngd.dll - Deleted
C:\WINDOWS\pbar.dll - Deleted
C:\WINDOWS\pbsysie.dll - Deleted
C:\WINDOWS\settn.dll - Deleted
C:\WINDOWS\spredirect.dll - Deleted
C:\WINDOWS\system32\ace16win.dll - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\cs.dat - Deleted
C:\WINDOWS\system32\ESHOPEE.exe - Deleted
C:\WINDOWS\system32\msole32.exe - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\**jddnvj.exe - Deleted
C:\WINDOWS\system32\unifff.dll - Deleted
C:\WINDOWS\system32\vxddsk.exe - Deleted
C:\WINDOWS\system32\wml.exe - Deleted
C:\WINDOWS\vxddsk.exe - Deleted
C:\WINDOWS\wbeCheck.exe - Deleted
C:\WINDOWS\wbeInst$.exe - Deleted
C:\WINDOWS\wkssvc.exe - Deleted
C:\WINDOWS\wml.exe - Deleted
C:\WINDOWS\xadbrk.dll - Deleted
C:\WINDOWS\xadbrk.exe - Deleted
C:\WINDOWS\xadbrk_.exe - Deleted
C:\WINDOWS\xxxvideo.exe - Deleted
C:\WINDOWS\system32\drivers\asc3550o.sys - Deleted



Folder C:\Program Files\3721 - Removed
Folder C:\Program Files\Accoona - Removed
Folder C:\Program Files\akl - Removed
Folder C:\Program Files\amsys - Removed
Folder C:\Program Files\e-zshopper - Removed
Folder C:\Program Files\p2pnetworks - Removed
Folder C:\WINDOWS\system32\acespy - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 01:00:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001c4
"TracesSuccessful"=dword:0000001a

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 25 Dec 2005 56 A.SHR --- "C:\i386\EB45ED61D8.sys"
Sun 25 Dec 2005 2,828 A.SH. --- "C:\i386\KGyGaAvL.sys"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 29 Mar 2006 1,118,051 A..H. --- "C:\Program Files\WinFixerFree\dcres.sys"
Wed 29 Mar 2006 244,578 A..H. --- "C:\Program Files\WinFixerFree\wsres.sys"
Mon 13 Nov 2006 104 ..SH. --- "C:\WINDOWS\Config\cacsmvc.dll"
Mon 13 Nov 2006 104 ..SH. --- "C:\WINDOWS\Config\wvsr.dll"
Fri 17 Nov 2006 104 ..SH. --- "C:\WINDOWS\Cursors\pipa.dll"
Fri 17 Nov 2006 104 ..SH. --- "C:\WINDOWS\msagent\tuilsmvc.dll"
Tue 14 Nov 2006 104 ..SH. --- "C:\WINDOWS\Registration\vddawve.dll"
Wed 15 Nov 2006 104 ..SH. --- "C:\WINDOWS\system\bdrul.dll"
Thu 7 Feb 2008 56 ..SHR --- "C:\WINDOWS\system32\EB45ED61D8.sys"
Thu 7 Feb 2008 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 13 Mar 2006 406,504 ..SH. --- "C:\WINDOWS\system32\orutv.tmp"
Mon 20 Nov 2006 915,676 A.SH. --- "C:\WINDOWS\system32\orutv.tmp2"
Mon 20 Nov 2006 937,155 ..SH. --- "C:\WINDOWS\assembly\NativeImages1_v1.0.3705\Custo mMarshalers\apcbod.bak1"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kari Lynne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp "
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kari Lynne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp "
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kari Lynne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp "
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Kari Lynne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp "

Finished!
Reply With Quote