1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: recent attack of false spyware infection warnings

Discussion in 'Virus & Other Malware Removal' started by yettz, Apr 14, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    I suddenly started getting windows that warn me of spyware infections and offer to remove them. They have taken over the desktop, disabled the task manager, and are generally wreaking havoc. Earlier, the desktop icons and task bar disappeared, leaving only the wallpaper, and I had to reboot. A Rundll error message appears now at startup.

    Earlier Superantispyware detected a Vundo variant, a Downloader, and a few other pests, but it doesn't seem as though it was able to remove all of them. Then I ran Vundofix and it found no problems. I have not yet run Combofix. I'm hoping your trained eye can help me resolve this!

    SAS + Vundofix logs follow, then the Hijackthis log.
    Thank you!


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/13/2008 at 04:30 PM

    Application Version : 4.0.1154

    Core Rules Database Version : 3391
    Trace Rules Database Version: 1383

    Scan type : Quick Scan
    Total Scan Time : 01:09:12

    Memory items scanned : 470
    Memory threats detected : 1
    Registry items scanned : 489
    Registry threats detected : 10
    File items scanned : 6089
    File threats detected : 7

    Adware.Vundo Variant/Resident
    C:\WINDOWS\SYSTEM32\QOMCCCSP.DLL
    C:\WINDOWS\SYSTEM32\QOMCCCSP.DLL

    Transponder Variant BHO
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

    Unclassified.Unknown Origin
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

    Adware.2020Search
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

    Adware.Vundo-Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B72E407-F908-45C9-AA61-64EACFC57E03}
    HKCR\CLSID\{5B72E407-F908-45C9-AA61-64EACFC57E03}
    HKCR\CLSID\{5B72E407-F908-45C9-AA61-64EACFC57E03}\InprocServer32
    HKCR\CLSID\{5B72E407-F908-45C9-AA61-64EACFC57E03}\InprocServer32#ThreadingModel

    Adware.180solutions/SurfAssistant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

    Adware.Second Thought
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}

    Adware.Tracking Cookie
    C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@tribalfusion[2].txt
    C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@ads.techguy[2].txt
    C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@msnportal.112.2o7[1].txt
    C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@ads.as4x.tmcs[1].txt
    C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@atdmt[1].txt
    C:\Documents and Settings\mom (and guests)\Cookies\mom (and guests)@trafficmp[1].txt



    VundoFix V7.0.3

    Scan started at 2:30:35 PM 4/13/2008

    Listing files found while scanning....

    No infected files were found.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:32:45 PM, on 4/13/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\wmsdkns.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\winself.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [b8dec507] rundll32.exe "C:\WINDOWS\System32\lujdvdwd.dll",b
    O4 - HKLM\..\Run: [BMbbedf69b] Rundll32.exe "C:\WINDOWS\System32\atyubtoh.dll",s
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Matt's Things\Other Things\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for ôå: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098728199640
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://a1776.ff.fullaudio.com.edges...io.com/musicnow/phoenix/4.0.0.17/MusicNow.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 9553 bytes
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download (save) SmitfraudFix (by S!Ri) to your desktop.
    Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
    to a new folder called SmitfraudFix.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Thanks so much for responding!!

    When the SmitfraudFix process began scanning in the C:\ window, after a very short time, the window disappeared. I cannot see whether anything is running by using the Task Manager since it is disabled by the rogue files. It must not have completed. ??
     
  4. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    PS It disappears when it get to the Windows System32 folders in its scan.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

    Post the log from ComboFix along with a new HijackThis log.
     
  6. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Hoo-boy! I turned Norton off in order to run Combofix, and many spam-popup windows have taken over! Combofix soldiered on through it all, here is the log file... (btw, I didn't install the recovery console, thought I had already done that before when I had problems last year)


    ComboFix 08-04-13.3 - mom (and guests) 2008-04-14 13:48:21.3 - NTFSx86
    Running from: C:\Documents and Settings\mom (and guests)\My Documents\Mom's Documents\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ADS - svchost.exe: deleted 28160 bytes in 1 streams.
    /wow section not completed

    ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
    .

    2008-04-14 13:49 . 758 C:\WINDOWS\SYSTEM32\dwdvdjul.tmp
    2008-04-14 13:45 . 2008-04-14 13:47 41,754 --a------ C:\WINDOWS\nivavir.config
    2008-04-14 13:44 . 2008-04-14 13:44 391,168 --a------ C:\WINDOWS\SYSTEM32\alt.exe.exe
    2008-04-14 13:44 . 2008-04-14 13:44 132,608 --a------ C:\WINDOWS\SYSTEM32\shift.exe.exe
    2008-04-14 13:44 . 2008-04-14 13:44 132,608 --a------ C:\WINDOWS\kavir.exe
    2008-04-14 13:44 . 2002-08-29 04:00 113,664 --a------ C:\WINDOWS\SYSTEM32\hcnqt.drv
    2008-04-14 13:44 . 2008-04-14 13:44 4 --a------ C:\WINDOWS\SYSTEM32\winsub.xml
    2008-04-14 13:44 . 2008-04-14 13:44 0 --a------ C:\WINDOWS\SYSTEM32\svcp.csv
    2008-04-14 13:42 . 2008-04-14 13:43 <DIR> d-------- C:\Program Files\iSecurity
    2008-04-14 13:42 . 2008-04-14 13:42 <DIR> d-------- C:\Program Files\cjb
    2008-04-14 13:42 . 2008-04-14 13:42 <DIR> d-------- C:\Documents and Settings\mom (and guests)\Application Data\Anti-Virus-Pro.com
    2008-04-14 13:42 . 2008-04-14 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\grsxeryh
    2008-04-14 13:42 . 2008-04-14 13:42 113,664 --a------ C:\WINDOWS\SYSTEM32\nmdkjetgf.dll
    2008-04-14 13:42 . 2008-04-14 13:42 90,112 --a------ C:\WINDOWS\SYSTEM32\adqzaxcp.exe
    2008-04-14 13:42 . 2008-04-14 13:42 40,448 --a------ C:\WINDOWS\SYSTEM32\khfGwTmk.dll
    2008-04-14 13:42 . 2008-04-14 13:42 36,312 --a------ C:\Program Files\bho.exe
    2008-04-14 13:42 . 2008-04-14 13:42 21,588 --a------ C:\Program Files\antiviirus.exe
    2008-04-14 13:42 . 2008-04-14 13:42 19,584 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kqmgzzkv.dat
    2008-04-14 13:42 . 2008-04-14 13:42 16,464 -r-hs---- C:\Program Files\tmp3.exe
    2008-04-14 13:42 . 2008-04-14 13:42 16,464 -r-hs---- C:\Program Files\tmp2.exe
    2008-04-14 13:42 . 2008-04-14 13:42 16,464 -r-hs---- C:\Program Files\tmp1.exe
    2008-04-14 13:42 . 2008-04-14 13:42 16,464 -r-hs---- C:\Program Files\tmp0.exe
    2008-04-14 13:42 . 2008-04-14 13:42 6,144 -r-hs---- C:\WINDOWS\SYSTEM32\iSecurity.cpl
    2008-04-14 13:42 . 2008-04-14 13:42 245 --a------ C:\WINDOWS\tmp64003890.bat
    2008-04-14 13:42 . 2008-04-14 13:49 90 --a------ C:\WINDOWS\SYSTEM32\n.ini
    2008-04-14 13:41 . 2008-04-14 13:41 160,256 --a------ C:\WINDOWS\SYSTEM32\blackster.scr
    2008-04-14 13:41 . 2008-04-14 13:41 38,400 --a------ C:\WINDOWS\mrofinu1854.exe
    2008-04-14 13:41 . 2005-08-20 10:22 9,728 --a------ C:\WINDOWS\SYSTEM32\spoolvs.exe
    2008-04-14 13:41 . 2005-08-20 10:22 9,728 --a------ C:\WINDOWS\SYSTEM32\printer.exe
    2008-04-14 13:41 . 2005-08-20 10:22 9,728 --a------ C:\WINDOWS\shell.exe
    2008-04-14 13:41 . 2008-04-14 13:41 52 --a------ C:\smp.bat
    2008-04-14 13:41 . 2008-04-14 13:41 29 --a------ C:\WINDOWS\SYSTEM32\oegseotw.tmp
    2008-04-14 13:40 . 2008-04-14 13:42 <DIR> d-------- C:\Program Files\AntiVirusPro
    2008-04-14 13:40 . 2008-04-14 13:40 269,334 --a------ C:\WINDOWS\SYSTEM32\ctfmonb.bmp
    2008-04-14 13:40 . 2008-04-14 13:40 269,334 --a------ C:\WINDOWS\SYSTEM32\credgfedojihsb.bmp
    2008-04-14 13:40 . 2008-04-14 13:40 83,968 --a------ C:\WINDOWS\SYSTEM32\ctfmona.exe
    2008-04-14 13:40 . 2008-04-14 13:41 40,599 --a------ C:\Documents and Settings\mom (and guests)\cftmon.exe
    2008-04-14 13:40 . 2008-04-14 13:41 27,050 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
    2008-04-14 13:40 . 2008-04-14 13:40 25,088 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe
    2008-04-14 13:40 . 2005-08-18 09:47 18,944 --a------ C:\WINDOWS\SYSTEM32\wowfx.dll
    2008-04-14 13:40 . 2008-04-14 13:40 12,800 --a------ C:\blf.exe
    2008-04-14 13:40 . 2005-08-20 15:14 9,728 --a------ C:\Documents and Settings\mom (and guests)\Application Data\printer.exe
    2008-04-14 13:40 . 2008-04-14 13:40 5,120 --a------ C:\WINDOWS\SYSTEM32\ftpdll.dll
    2008-04-14 13:40 . 2008-04-14 13:40 5,120 --a------ C:\Documents and Settings\mom (and guests)\ftpdll.dll
    2008-04-14 13:40 . 2008-04-14 13:40 10 --a------ C:\WINDOWS\SYSTEM32\kr_done1
    2008-04-14 13:36 . 2008-04-14 13:36 <DIR> d-------- C:\Program Files\QdrPack
    2008-04-14 12:42 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
    2008-04-14 12:42 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
    2008-04-14 12:42 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
    2008-04-14 12:42 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
    2008-04-14 12:42 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
    2008-04-14 12:42 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
    2008-04-14 12:42 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
    2008-04-14 12:42 . 2008-04-14 13:14 3,730 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
    2008-04-13 16:48 . 2008-04-13 16:48 85,568 --a------ C:\WINDOWS\SYSTEM32\lujdvdwd.dll
    2008-04-13 16:45 . 2008-04-13 16:45 92,736 --a------ C:\WINDOWS\SYSTEM32\mmfsqbby.dll
    2008-04-13 16:39 . 2008-04-13 16:39 272,896 --a------ C:\WINDOWS\SYSTEM32\pmnmljGX.dll
    2008-04-13 16:39 . 2008-04-14 13:49 271,090 --ahs---- C:\WINDOWS\SYSTEM32\XGjlmnmp.ini2
    2008-04-13 16:39 . 2008-04-14 13:49 271,090 --ahs---- C:\WINDOWS\SYSTEM32\XGjlmnmp.ini
    2008-04-13 16:39 . 2008-04-13 16:39 95,296 --a------ C:\WINDOWS\SYSTEM32\atyubtoh.dll
    2008-04-13 15:16 . 2008-04-13 15:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-12 22:50 . 2008-04-13 16:31 6,362 --ahs---- C:\WINDOWS\SYSTEM32\PsCccMoq.ini
    2008-04-12 22:50 . 2008-04-13 16:30 6,322 --ahs---- C:\WINDOWS\SYSTEM32\PsCccMoq.ini2
    2008-04-12 22:48 . 2008-04-12 22:48 29,952 --a------ C:\WINDOWS\stcloader.exe
    2008-04-12 22:48 . 2008-04-12 22:48 23,552 --a------ C:\WINDOWS\swin32.dll
    2008-04-12 22:48 . 2008-04-12 22:48 12,032 --a------ C:\WINDOWS\bokja.exe
    2008-04-12 22:47 . 2008-04-12 22:47 27,392 --a------ C:\WINDOWS\2020search2.dll
    2008-04-12 13:36 . 2008-04-14 13:49 1,906 --a------ C:\WINDOWS\SYSTEM32\default.htm
    2008-04-12 11:47 . 2008-04-12 19:53 354 ---hs---- C:\WINDOWS\SYSTEM32\oydvnteg.ini
    2008-04-12 11:44 . 2008-04-13 11:45 101,091 --a------ C:\WINDOWS\BMbbedf69b.xml
    2008-04-12 11:44 . 2008-04-12 11:44 94,272 --a------ C:\WINDOWS\SYSTEM32\vxsawvvc.dll
    2008-04-12 11:44 . 2008-04-13 19:57 22 --a------ C:\WINDOWS\pskt.ini
    2008-04-12 11:43 . 2008-04-12 22:41 290,995 --ahs---- C:\WINDOWS\SYSTEM32\lVFgjRqr.ini2
    2008-04-12 11:43 . 2008-04-12 22:41 290,995 --ahs---- C:\WINDOWS\SYSTEM32\lVFgjRqr.ini
    2008-04-12 11:43 . 2008-04-12 11:43 87,977 --a------ C:\WINDOWS\SYSTEM32\wmsdkns.exe
    2008-04-12 11:43 . 2008-04-12 11:43 87,977 --a------ C:\WINDOWS\lfn.exe
    2008-04-12 11:43 . 2008-04-14 11:47 138 -r-hs---- C:\WINDOWS\mscon.sio
    2008-04-12 11:43 . 2008-04-12 11:43 4 --a------ C:\WINDOWS\SYSTEM32\winfrun32.bin
    2008-04-12 11:41 . 2008-04-12 11:41 28,160 --a------ C:\WINDOWS\winself.exe
    2008-04-12 11:41 . 2008-04-14 13:42 16 -r-hs---- C:\WINDOWS\conf.inf
    2008-04-12 11:41 . 2008-04-14 13:42 4 -r-hs---- C:\WINDOWS\ky.sxc
    2008-04-12 11:39 . 2008-04-14 13:36 <DIR> d-------- C:\Program Files\QdrModule
    2008-04-12 11:39 . 2008-04-12 22:43 <DIR> d-------- C:\Program Files\QdrDrive
    2008-04-12 11:39 . 2008-04-12 11:39 <DIR> d-------- C:\Program Files\ISM
    2008-04-12 11:38 . 2008-04-12 11:38 54,272 --------- C:\WINDOWS\SYSTEM32\L5A64.tmp
    2008-04-12 11:38 . 2008-04-12 11:38 36,352 --a------ C:\WINDOWS\SYSTEM32\yayaArom.dll
    2008-04-12 11:38 . 2008-04-12 11:38 397 --a------ C:\WINDOWS\SYSTEM32\L6CC3.tmp
    2008-04-12 11:38 . 2008-04-12 11:38 397 --a------ C:\WINDOWS\SYSTEM32\L6B2C.tmp
    2008-04-12 11:38 . 2008-04-12 11:38 397 --a------ C:\WINDOWS\SYSTEM32\L69D5.tmp
    2008-04-12 11:38 . 2008-04-12 11:38 397 --a------ C:\WINDOWS\SYSTEM32\L686D.tmp
    2008-04-11 12:44 . 2008-04-11 12:44 229,526 --a------ C:\WINDOWS\SYSTEM32\000080.exe
    2008-04-04 23:29 . 2008-04-04 23:29 270,694 --a------ C:\WINDOWS\SYSTEM32\000090.exe
    2008-03-30 07:02 . 2008-03-30 07:02 190,464 --a------ C:\WINDOWS\SYSTEM32\luapvs.dll
    2008-03-28 09:41 . 2008-03-28 09:41 173,563 --a------ C:\WINDOWS\SYSTEM32\msram.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-14 19:40 15,872 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
    2008-04-14 19:38 --------- d-----w C:\Documents and Settings\mom (and guests)\Application Data\MSN6
    2008-04-14 19:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-04-14 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-04-13 21:18 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-03-07 03:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
    2008-03-07 03:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
    2008-03-07 03:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
    .

    ------- Sigcheck -------

    2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\svchost.exe
    2008-04-14 13:40 15872 bca6d9199e55023e4b3f399f6f7a0542 C:\WINDOWS\SYSTEM32\svchost.exe

    2002-08-29 04:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
    2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\winlogon.exe
    2004-05-26 19:38 487424 5996688f497ceec792c4803758f54f5a C:\WINDOWS\SYSTEM32\winlogon.exe
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477e64a4-d947-432a-a63a-51a43913433b}]
    2008-04-13 16:45 92736 --a------ C:\WINDOWS\System32\mmfsqbby.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8EEB996-62AA-4E48-995D-EADDCAC47476}]
    2008-04-12 11:38 36352 --a------ C:\WINDOWS\system32\yayaArom.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF26FAC0-7D4E-46D8-AE64-B277B11443AC}]
    2008-03-30 07:02 190464 --a------ C:\WINDOWS\SYSTEM32\luapvs.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7CCAA14-2A53-4E76-A69B-A3F57EC89813}]
    2008-04-13 16:39 272896 --a------ C:\WINDOWS\System32\pmnmljGX.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2007-01-15 20:40 38924]
    "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [ ]
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-10-12 18:13 7086080]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 04:00 13312]
    "QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [2008-04-03 07:53 364544]
    "Microsoft Windows Installer"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\ie.exe" [2008-04-12 11:40 183206]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
    "QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [2008-04-04 14:17 352256]
    "ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [2008-04-14 13:41 27050]
    "autoload"="C:\Documents and Settings\mom (and guests)\cftmon.exe" [2008-04-14 13:41 40599]
    "Spoolsv"="C:\WINDOWS\System32\spoolvs.exe" [2005-08-17 23:06 9728]
    "kjwvvbhz"="C:\WINDOWS\system32\adqzaxcp.exe" [2008-04-14 13:42 90112]
    "WintelUpdate"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\D11.tmp.exe" [2008-04-14 13:43 0]
    "kavir"="C:\WINDOWS\kavir.exe" [2008-04-14 13:44 132608]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-09-15 16:21 38912]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-09-15 16:21 38912]
    "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-01-15 20:40 38924]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-15 20:40 38924]
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-15 20:40 38924]
    "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2007-09-15 16:21 38912]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2007-01-15 20:40 38924]
    "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2007-09-15 16:21 38912]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-15 20:40 38924]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 20:22 26248]
    "b8dec507"="C:\WINDOWS\System32\lujdvdwd.dll" [2008-04-13 16:48 85568]
    "BMbbedf69b"="C:\WINDOWS\System32\atyubtoh.dll" [2008-04-13 16:39 95296]
    "ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [2008-04-14 13:41 27050]
    "autoload"="C:\Documents and Settings\mom (and guests)\cftmon.exe" [2008-04-14 13:41 40599]
    "BluetoothAuthorizationAgent"="C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe" [2008-04-14 13:40 25088]
    "ctfmona"="C:\WINDOWS\System32\ctfmona.exe" [2008-04-14 13:40 83968]
    "Printer"="C:\WINDOWS\System32\printer.exe" [2005-08-17 23:06 9728]
    "icasServ"="C:\WINDOWS\System32\icasServ.exe" [2006-04-15 13:41 13824]
    "AntiVirusPro"="C:\Program Files\AntiVirusPro\AntiVirusPro.exe" [2008-03-03 08:10 216064]
    "runner1"="C:\WINDOWS\mrofinu1854.exe" [2008-04-14 13:41 38400]
    "iSecurity applet"="iSecurity.cpl" [2008-04-14 13:42 6144 C:\WINDOWS\SYSTEM32\iSecurity.cpl]
    "antiviirus"="C:\Program Files\antiviirus.exe" [2008-04-14 13:42 21588]
    "krqlojel"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\cjahcb.nls WLEntryPoint" [ ]
    "advap32"="C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\load2.exe" [2008-04-14 13:42 11264]
    "cjb"="C:\Program Files\cjb\cjb8.exe" [2008-04-14 13:42 10240]
    "PromoReg"="C:\WINDOWS\System32\alt.exe.exe" [2008-04-14 13:57 336384]
    "csrss"="C:\WINDOWS\System32\wbem\csrss.exe" [2008-04-14 13:42 26112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "tmp64003890"="cmd /Q /C C:\WINDOWS\tmp64003890.bat" [ ]

    C:\Documents and Settings\mom (and guests)\Start Menu\Programs\Startup\
    findfast.exe [2005-08-17 23:06:47 9728]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-25 22:09:43 113664]
    autorun.exe [2005-08-17 23:06:47 9728]
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 04:31:34 806912]
    Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-14 20:53:38 454656]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)
    "DisableRegistryTools"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "lcjit"= rundll32.exe "C:\WINDOWS\System32\hsredgrid.nls" WLEntryPoint
    "QjbnIox96g"= C:\Documents and Settings\All Users\Application Data\grsxeryh\czkborkb.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoControlPanel"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{A8EEB996-62AA-4E48-995D-EADDCAC47476}"= C:\WINDOWS\system32\yayaArom.dll [2008-04-12 11:38 36352]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "PrxComponent"= {6ce51b2d-ec04-48e1-821a-a5506168f1cc} - C:\WINDOWS\Resources\PrxComponent.dll [2008-04-14 13:42 12838]
    "tkVwEOFhlh"= {B8DEC5A9-1274-6F03-664F-76A2A60565A6} - C:\WINDOWS\System32\pjxgz.dll [2004-06-17 11:58 32768]
    "zip"= {51b30acc-36ac-4639-982a-a62cfccfe4aa} - C:\WINDOWS\Installer\{51b30acc-36ac-4639-982a-a62cfccfe4aa}\zip.dll [2008-04-14 13:42 23338]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Shell"="Explorer.exe C:\\WINDOWS\\shell.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nmdkjetgf]
    nmdkjetgf.dll 2008-04-14 13:42 113664 C:\WINDOWS\SYSTEM32\nmdkjetgf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaArom]
    yayaArom.dll 2008-04-12 11:38 36352 C:\WINDOWS\SYSTEM32\yayaArom.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\pmnmljGX

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    --a------ 2004-03-15 00:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FullAudio]
    C:\PROGRA~1\MusicNow\WMPImporter.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a--c--- 2003-06-25 11:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-01-15 20:40 38924 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2006-06-21 11:14 35328 C:\Matt's Things\Other Things\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Documents and Settings\\mom (and guests)\\Application Data\\printer.exe"=
    "C:\\WINDOWS\\System32\\printer.exe"=
    "C:\\WINDOWS\\System32\\spoolvs.exe"=
    "C:\\WINDOWS\\shell.exe"=
    "C:\\Documents and Settings\\mom (and guests)\\Start Menu\\Programs\\Startup\\findfast.exe"=
    "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12297:TCP"= 12297:TCP:mad:xpsp2res.dll,-22005
    "1204:TCP"= 1204:TCP:mad:xpsp2res.dll,-22005
    "60475:TCP"= 60475:TCP:mad:xpsp2res.dll,-22005
    "45974:TCP"= 45974:TCP:mad:xpsp2res.dll,-22005

    R2 MSSysInterv1;MSSysInterv;C:\WINDOWS\winself.exe service []
    S2 ICF;ICF;C:\WINDOWS\System32\svchost.exe:exe.exe []
    S3 lredbooo;lredbooo;C:\DOCUME~1\MOM(AN~1\LOCALS~1\Temp\lredbooo.sys []

    *Newly Created Service* - COMHOST
    *Newly Created Service* - GYRKKVKE
    *Newly Created Service* - OVM51
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-14 01:56:48 C:\WINDOWS\Tasks\Calculator.job"
    - C:\WINDOWS\SYSTEM32\CALC.EXE
    "2008-04-14 12:42:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - mom (and guests).job"
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-14 13:49:28
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\svchost.ex_:exe.exe 28160 bytes executable
    IPC error: 109 The pipe has been ended.
    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ICF]
    "ImagePath"="C:\WINDOWS\System32\svchost.exe:exe.exe"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ovm51]


    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gyrkkvke]
    "ImagePath"="system32\drivers\kqmgzzkv.dat"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\yayaArom.dll
    -> C:\WINDOWS\System32\khfGwTmk.dll

    PROCESS: C:\WINDOWS\system32\lsass.exe
    -> C:\WINDOWS\System32\pmnmljGX.dll

    PROCESS: C:\WINDOWS\Explorer.exe
    -> C:\WINDOWS\System32\pmnmljGX.dll
    -> C:\WINDOWS\System32\lujdvdwd.dll
    -> C:\WINDOWS\system32\yayaArom.dll

    PROCESS: C:\WINDOWS\system32\csrss.exe
    PROCESS: C:\WINDOWS\System32\wbem\csrss.exe
    -> C:\WINDOWS\System32\lujdvdwd.dll
    .
    Completion time: 2008-04-14 14:00:13
    ComboFix-quarantined-files.txt 2008-04-14 19:59:08
    ComboFix2.txt 2007-08-10 21:27:50

    Pre-Run: 2,467,196,928 bytes free
    Post-Run: 2,507,964,416 bytes free
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You still have a lot of baddies there!

    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found: [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.
     
  8. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    I will try to do this soon! However, the computer is pretty congested with various windows now, including one full screen, and I'm having trouble getting things done. I'm sending this from a 2nd computer. It wasn't too bad before I turned off Norton and began Combofix but has gone way downhill since. Now I am rebooting and will send you the results from Dr. Web CureIt. Many warnings appear now on reboot - rundll, load zip, arrgh!
     
  9. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    OK now I'm scared.
    After starting Dr.Web CureIt, the screen went blue with the message, "a problem has been detected and windows has been shut down to prevent damage to your computer. .... remove any new programs, etc ... if this is the first time you've seen the stop error screen- restart...." So that is what I'm doing. Help!!
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    OK, let me go through the ComboFix log. There is just so much it may take me a while...
     
  11. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    I rebooted and tried Dr. W Cure It again - same blue screen... I will be patient, Thank You!!
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download SDFix and save it to your Desktop.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re-enable the protection again afterwards before connecting to the Internet.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • Open the c:\SDFix folder and double click RunThis.cmd to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
     
  13. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Thank for hanging with me!! ... this has become very difficult! (and upsetting)
    I am attemping to run SDfix but am having trouble getting the computer to respond properly through all the attacks. I finally got smart and disconnected it from the Internet. Will send the results as soon as I can! Am rebooting now..
     
  14. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    I am in safe mode, and looking for the RunThis.cmd file. It is not in the SDFix folder that was extracted from the download. There is a batch file called RunThis.bat, and clicking it opens the DOS prompt window with a blinking curser, but I can't type anything in the box. Not even Exit. At the top of the window is C:\Windows\System32\cmd.exe There is also a file in the SDfix folder called Catchme.exe - seems suspicious...

    Sorta stuck here, please advise.
     
  15. yettz

    yettz Thread Starter

    Joined:
    May 6, 2007
    Messages:
    60
    Check that, started whole process over and the program seems to be running now...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved recent attack
  1. jesuischrist
    Replies:
    0
    Views:
    472
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703536

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice