Virus: MFC32DLL.dll.vbs, IE bar stated "Hacked By GNUlihd@gmail.com

ahon371 · #1 (**permalink**) 09-12-2007, 09:51 AM

Dear D-A-L,

My computer is infected by a virus called MFC32DLL.dll.vbs, I was actually using my friends computer and never realized he has no Anti-Virus program installed, now that the IE bar keep stating "Hacked by GNUlihd@gmail.com, so I followed your instruction and ran SpyBot and installed AVG, one virus called MFC32DLL.dll.vbs in my virus vault and eight other Trojan Horse discovered: baxevr36.dll, baxevr36.sys, nowpuk95.dll, nowpuk95.sys, winlibe.dll, 58484.sys, tmp9.CAB, patch03.dll, and folder.exe. I have noticed that each time I tried to open my C drive, It denied me by stating "Can not find script file "C:\MFC32DLL.dll.vbs", and every IE bar will stated "Hacked by GNUlihd@gmail.com". I feel sorry for my friend. Please help me and it will be very much appreciated.

Here is my HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:12 p.m., on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\vsnpmi03.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://seek.3721.com/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://seek.yisou.com/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by

GNUlihd@gmail.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WinSearch - {27E96DE0-8211-42CF-9A1E-FA6246A95B77} - C:\WINDOWS\system32

\winsearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O2 - BHO: DragSearch BHO - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!

\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\Windows Live Toolbar\msntb.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program

Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100

Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721

\helper.dll,Rundll32
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [eMuleAutoStart] C:\emule\eMule.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User

'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -

http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: VeryCDËÑË÷ - C:\Program Files\YOK.com\SuperSearch\yoksch.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} -

http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} -

http://adtaobao.allyes.com/main/adfclick?

db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&sh ow=ignore&url=http://www.taobao.com/vertic

al/mall/pro.php?allyesPara=816 (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} -

http://cn.zs.yahoo.com/cnsbutton.htm...ns&btn=yassist (file missing)
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} -

http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-

A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} -

http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} -

http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} -

http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-

A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [!CNS] Chinese keywords
O14 - IERESET.INF: START_PAGE_URL=http://www.qmb.co.nz
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) -

http://cdn2.zone.msn.com/Bingame/BRD.../heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop

Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32

\LEXBCES.EXE

--
End of file - 10519 bytes

And my uninstall list:
ABBYY FineReader 5.0 Sprint
Adobe Flash Player ActiveX
Adobe InDesign 2.0.2
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
Adobe SVG Viewer 3.0
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
AVG 7.5
Canon Camera Window for ZoomBrowser EX
Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Chinese keywords
FaxTools
Google Desktop
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intense Language Office
Internet Explorer Q903235
iPod for Windows 2005-06-26
iPod Updater 2004-08-06
iPod Updater 2004-11-15
iTunes
Java 2 Platform, Enterprise Edition 1.4 SDK
Java(TM) 6 Update 2
Lexmark X1100 Series
MadOnion.com/3DMark2001 SE
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN Gaming Zone
Nero OEM
OneCare Advisor (Windows Live Toolbar)
PCI Fax Modem
Picture Organiser
Popup Blocker (Windows Live Toolbar)
PowerDVD
QuickTime
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Smart Menus (Windows Live Toolbar)
Spybot - Search & Destroy
Thomas & Friends - The Great Festival Adventure
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoCAM NB 300
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinSearch
Yahoo! Install Manager
Yahoo! Toolbar

Thanks for your regard.

Neal · #2 (**permalink**) 10-12-2007, 02:01 AM

Welcome,

You or they have a serious chinese infecton it appears.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on:

Chinese keywords

Click on Delete this entry

Reboot your computer.

Do the same for this:

Winsearch

If you have previously downloaded ComboFix,please delete that version now.

Now download COMBOFIX and save to your desktop:

Note:

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

I need you to post a new log single spaced as it makes things easier to read:

To remove the double spacing in your log, please do the following:

Please go to Start >> Run... and type notepad.exe
Hit OK.
Now go to Format and uncheck WordWrap.
Close Notepad.
Then post a new HijackThis log.

ahon371 · #3 (**permalink**) 10-12-2007, 06:41 AM

Dear Neal,

Thanks for your help, after running the Combofix, I was able to get rid of the IE heading "Hacked By GNUlihd@gmail.com", and I was able to open my C drive now. I unchecked WordWrap, should be single space now, here is my Combofix Log and HiJackThis Log. Thanks very much.

Combofix Log:
ComboFix 07-12-09.1 - user 2007-12-11 18:00:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT 13:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\JHHW8XJY\www.inter-focus.cn
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\#SharedObjects\JHHW8XJY\www.inter-focus.cn\tt_flashad.swf\IFFLASHAD.sol
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinCgM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinCgM[2].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinExM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinExM[2].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinExM[3].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\08AV5I8U\CnsMinM[2].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\2XYU3TME\CnsMinCgM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\A2EVOJOM\CnsMinCgM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\A2EVOJOM\CnsMinExM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\AG5ZPVA5\CnsMinCgM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\AG5ZPVA5\CnsMinM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\E9CXNXJF\CnsMinExM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\E9CXNXJF\CnsMinM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\JDOJIDA2\CnsMinM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\R9SMPC29\CnsMinExM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\R9SMPC29\CnsMinM[1].htm
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\SFRGJF8G\CnsMinExM[1].htm
C:\Program Files\3721\3721\AutoLive.dll
C:\Program Files\3721\adsl.cab
C:\Program Files\3721\alliveex.dll
C:\Program Files\3721\alrex.dll
C:\Program Files\3721\autolive.dll
C:\Program Files\3721\autolive.ini
C:\Program Files\3721\autolvsw.ini
C:\Program Files\3721\cns01.dat
C:\Program Files\3721\cns03.dat
C:\Program Files\3721\cnsm.dll
C:\Program Files\3721\CNSMIN.DAT
C:\Program Files\3721\helper.dll
C:\Program Files\3721\notifier.dll
C:\Program Files\3721\patch05.dll
C:\Program Files\3721\patch06.dll
C:\Program Files\3721\scrblock.dll
C:\Program Files\3721\windex.dat
C:\Program Files\3721\winhex.dat
C:\WINDOWS\Downloaded Program Files.\3721\cns02.dat
C:\WINDOWS\Downloaded Program Files.\3721\CnsMin.dll
C:\WINDOWS\Downloaded Program Files.\3721\CnsMin.inf
C:\WINDOWS\Downloaded Program Files.\3721\ListInfo.dat
C:\WINDOWS\Downloaded Program Files.\keepmain.dll
C:\WINDOWS\Downloaded Program Files.\keepmainm.cab
C:\WINDOWS\Downloaded Program Files.\sms.ico
C:\WINDOWS\Downloaded Program Files.\taobao.ico
C:\WINDOWS\Downloaded Program Files.\yahoomsg.ico
C:\WINDOWS\Downloaded Program Files.\ymail.ico
C:\WINDOWS\Downloaded Program Files\3721\cns02.dat
C:\WINDOWS\Downloaded Program Files\3721\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\3721\CnsMin.inf
C:\WINDOWS\Downloaded Program Files\3721\ListInfo.dat
C:\WINDOWS\Downloaded Program Files\CnsHint.cab
C:\WINDOWS\Downloaded Program Files\cnshint.dll
C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\CnsHook.dll.1.log
C:\WINDOWS\Downloaded Program Files\CnsHook.dll.2.log
C:\WINDOWS\Downloaded Program Files\cnsio.dll
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\CnsMin.ini
C:\WINDOWS\Downloaded Program Files\CnsMinAL.cab
C:\WINDOWS\Downloaded Program Files\CnsMinCg.ini
C:\WINDOWS\Downloaded Program Files\CnsMinDT.cab
C:\WINDOWS\Downloaded Program Files\CnsMinDT.dll
C:\WINDOWS\Downloaded Program Files\CnsMinEx.cab
C:\WINDOWS\Downloaded Program Files\CnsMinEx.dll
C:\WINDOWS\Downloaded Program Files\CnsMinEx.ini
C:\WINDOWS\Downloaded Program Files\CnsMinHK.cab
C:\WINDOWS\Downloaded Program Files\CnsMinIO.cab
C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll
C:\WINDOWS\Downloaded Program Files\CnsMinUp.cab
C:\WINDOWS\Downloaded Program Files\CnsPlus.cab
C:\WINDOWS\Downloaded Program Files\cnsplus.dll
C:\WINDOWS\Downloaded Program Files\CnsUp.ini
C:\WINDOWS\MFC32DLL.dll.vbs
C:\WINDOWS\system32\cns.dat
C:\WINDOWS\system32\cns.dll
C:\WINDOWS\system32\cns.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CNSMINKP
-------\CnsMinKP

((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-10 13:10 . 2007-12-11 16:00 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2007-12-10 13:10 . 2007-12-10 13:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-10 13:09 . 2007-12-10 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 13:09 . 2007-12-10 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-10 13:07 . 2007-12-10 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 22:21 . 2007-12-09 22:21 <DIR> d-------- C:\Documents and Settings\user\Incomplete
2007-12-09 22:21 . 2007-12-10 00:05 <DIR> d-------- C:\Documents and Settings\user\Application Data\LimeWire
2007-12-09 22:20 . 2007-12-09 22:20 <DIR> d-------- C:\Program Files\Java
2007-12-09 22:20 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-09 22:19 . 2007-12-09 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-09 17:52 . 2007-12-09 17:52 244 --ah----- C:\sqmnoopt02.sqm
2007-12-09 17:52 . 2007-12-09 17:52 232 --ah----- C:\sqmdata02.sqm
2007-12-09 09:44 . 2007-12-09 09:44 62,464 --a------ C:\WINDOWS\system32\drivers\phldn.sys
2007-12-01 16:47 . 2007-12-01 16:47 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-16 15:22 . 2007-11-16 15:22 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-01 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-15 21:37 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-11-15 21:09 155 ----a-w C:\start.bat
2004-10-11 07:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 02:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 01:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 01:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 00:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 00:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-18 23:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-18 23:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-18 23:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-18 23:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-18 23:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-18 23:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-18 23:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-18 23:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-18 23:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-18 23:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-18 23:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-18 23:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-18 23:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-18 23:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-18 23:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-18 23:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-18 23:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2000-05-01 16:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 11:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27E96DE0-8211-42CF-9A1E-FA6246A95B77}]
2007-02-05 13:20 159744 --a------ C:\WINDOWS\system32\winsearch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"ILO_Office_Manager"="IntEdReg.exe" [2002-10-15 12:30 C:\WINDOWS\system32\intedreg.exe]
"eMuleAutoStart"="C:\emule\eMule.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 21:31 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10]
"SMSERIAL"="sm56hlpr.exe" [2004-01-28 23:42 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-10 15:50]
"SNPMI03"="C:\WINDOWS\vsnpmi03.exe" [2003-08-08 14:58]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 03:43]
"Intense Registry Service"="IntEdReg.exe" [2002-10-15 12:30 C:\WINDOWS\system32\intedreg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 13:45]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-23 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-10 13:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-10 13:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~ 1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 CnsStd;CnsStd;C:\WINDOWS\system32\drivers\CnsStd.s ys
R3 snpmi03;VideoCAM NB 300;C:\WINDOWS\system32\DRIVERS\snpmi03.sys
S3 baxevr36;baxevr36;\??\C:\WINDOWS\system32\drivers\ baxevr36.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys
S3 nowpuk95;nowpuk95;\??\C:\WINDOWS\system32\drivers\ nowpuk95.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-06-04 01:23:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-11 04:49:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll
.
************************************************** ************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 18:06:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-12-11 18:07:43 - machine was rebooted
.
--- E O F ---

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:55 p.m., on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\vsnpmi03.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WinSearch - {27E96DE0-8211-42CF-9A1E-FA6246A95B77} - C:\WINDOWS\system32\winsearch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [eMuleAutoStart] C:\emule\eMule.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: VeryCDËÑË÷ - C:\Program Files\YOK.com\SuperSearch\yoksch.htm
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.qmb.co.nz
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRD.../heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Thanks for your regard again.

Neal · #4 (**permalink**) 10-12-2007, 07:52 PM

Now reboot into safe mode( without networking support) by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Run hijackthis and click on "scan system only" button and put checks next to these:

O2 - BHO: WinSearch - {27E96DE0-8211-42CF-9A1E-FA6246A95B77} - C:\WINDOWS\system32\winsearch.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O8 - Extra context menu item: VeryCDËÑË÷ - C:\Program Files\YOK.com\SuperSearch\yoksch.htm

O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Still in safe mode

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FOLDERS

C:\Program Files\YOK.com\SuperSearch

Reboot your PC and connect back to internet

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

New hijackthis log also please and a new combofix log. Thanks.

I need:

Dr. webcureit log
combofix log
hijackthis log

ahon371 · #5 (**permalink**) 11-12-2007, 10:20 AM

Dear Neal,

Thanks for your help once again.
After scanning my computer with Dr. webcureit, I couldn't find any next icon.
But here is my cureit log, combofix log and hijackthis log.

Dr.webcureit Log:
cnsstd.sys;c:\windows\system32\drivers;Trojan.NtRo otKit.442;Deleted.;
12850812.FIL;C:\$VAULT$.AVG;Trojan.PWS.Banker.6520 ;Deleted.;
12851531.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1493 7;Deleted.;
12852265.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.1446 2;Deleted.;
12852875.FIL;C:\$VAULT$.AVG;Trojan.Spambot.2398;De leted.;
12853796.FIL;C:\$VAULT$.AVG;Adware.Cdn;Deleted.;
12854421.FIL;C:\$VAULT$.AVG;Trojan.StartPage.1672; Deleted.;
RegUBP2b-user.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
backup-20071212-193237-716.dll;C:\Program Files\HijackThis\backups;Adware.Baidu.origin;Delet ed.;
alliveex.dll.vir;C:\qoobox\Quarantine\C\Program Files\3721;Adware.Cdn;Deleted.;
alrex.dll.vir;C:\qoobox\Quarantine\C\Program Files\3721;Adware.Cdn;Deleted.;
autolive.dll.vir;C:\qoobox\Quarantine\C\Program Files\3721;Adware.Newweb.origin;Deleted.;
cnsm.dll.vir;C:\qoobox\Quarantine\C\Program Files\3721;Adware.Cdn.origin;Deleted.;
scrblock.dll.vir;C:\qoobox\Quarantine\C\Program Files\3721;Adware.Cdn;Deleted.;
AutoLive.dll.vir;C:\qoobox\Quarantine\C\Program Files\3721\3721;Adware.Newweb.origin;Deleted.;
MFC32DLL.dll.vbs.vir;C:\qoobox\Quarantine\C\WINDOW S;VBS.Generic.544;Deleted.;
CnsMinEx.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\Do wnloaded Program Files;Adware.Cdn;Deleted.;
A0090372.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Adware.Newweb.origin;Invalid path to file ;
A0090381.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Trojan.PWS.Banker.6520;Deleted .;
A0090386.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Adware.Newweb.origin;Invalid path to file ;
A0091404.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Trojan.PWS.Banker.6520;Deleted .;
A0091409.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Adware.Newweb.origin;Invalid path to file ;
A0091425.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Trojan.PWS.Banker.6520;Deleted .;
A0091430.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP645;Adware.Newweb.origin;Invalid path to file ;
A0091452.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP646;Trojan.PWS.Banker.6520;Deleted .;
A0091457.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP646;Adware.Newweb.origin;Invalid path to file ;
A0091473.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP646;Trojan.PWS.Banker.6520;Deleted .;
A0091478.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP646;Adware.Newweb.origin;Invalid path to file ;
A0091498.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP646;Adware.Newweb.origin;Invalid path to file ;
A0091513.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.PWS.Banker.6520;Deleted .;
A0091518.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Adware.Newweb.origin;Invalid path to file ;
A0091519.sys;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.NtRootKit.377;Deleted.;
A0091536.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.PWS.Banker.6520;Deleted .;
A0091540.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Adware.Newweb.origin;Invalid path to file ;
A0091555.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.PWS.Banker.6520;Deleted .;
A0091559.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Adware.Newweb.origin;Invalid path to file ;
A0091574.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.PWS.Banker.6520;Deleted .;
A0091579.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Adware.Newweb.origin;Invalid path to file ;
A0091595.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.PWS.Banker.6520;Deleted .;
A0091613.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Trojan.PWS.Banker.6520;Deleted .;
A0091618.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP647;Adware.Newweb.origin;Invalid path to file ;
A0091636.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP648;Trojan.PWS.Banker.6520;Deleted .;
A0091641.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP648;Adware.Newweb.origin;Invalid path to file ;
A0091653.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Adware.Newweb.origin;Invalid path to file ;
A0091659.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Trojan.PWS.Banker.6520;Deleted .;
A0091664.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Adware.Newweb.origin;Invalid path to file ;
A0092659.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Trojan.PWS.Banker.6520;Deleted .;
A0092668.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Trojan.PWS.Banker.6520;Deleted .;
A0092687.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Trojan.PWS.Banker.6520;Deleted .;
A0092692.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Adware.Newweb.origin;Invalid path to file ;
A0092708.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP649;Trojan.PWS.Banker.6520;Deleted .;
A0092726.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Trojan.PWS.Banker.6520;Deleted .;
A0092731.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Adware.Newweb.origin;Invalid path to file ;
A0092749.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Trojan.PWS.Banker.6520;Deleted .;
A0092754.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Adware.Newweb.origin;Invalid path to file ;
A0092770.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Trojan.PWS.Banker.6520;Deleted .;
A0092775.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Adware.Newweb.origin;Invalid path to file ;
A0092792.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Trojan.PWS.Banker.6520;Deleted .;
A0092797.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Adware.Newweb.origin;Invalid path to file ;
A0092815.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Trojan.PWS.Banker.6520;Deleted .;
A0092819.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP650;Adware.Newweb.origin;Invalid path to file ;
A0092834.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP651;Trojan.PWS.Banker.6520;Deleted .;
A0092850.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP651;Adware.Newweb.origin;Invalid path to file ;
A0092854.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP652;Adware.Newweb.origin;Invalid path to file ;
A0092924.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP653;Adware.Newweb.origin;Invalid path to file ;
A0092973.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP653;Trojan.PWS.Banker.6520;Deleted .;
A0092978.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP653;Adware.Newweb.origin;Invalid path to file ;
A0092993.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP653;Trojan.PWS.Banker.6520;Deleted .;
A0092998.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP653;Adware.Newweb.origin;Invalid path to file ;
A0093030.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093046.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093055.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093060.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093077.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093082.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093100.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093114.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093121.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093126.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093146.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093163.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093169.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093186.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093201.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093209.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093213.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093252.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093268.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093273.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093290.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Trojan.PWS.Banker.6520;Deleted .;
A0093295.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP654;Adware.Newweb.origin;Invalid path to file ;
A0093322.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Adware.Newweb.origin;Invalid path to file ;
A0093340.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Trojan.PWS.Banker.6520;Deleted .;
A0093345.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Adware.Newweb.origin;Invalid path to file ;
A0093362.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Trojan.PWS.Banker.6520;Deleted .;
A0093381.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Trojan.PWS.Banker.6520;Deleted .;
A0093386.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Adware.Newweb.origin;Invalid path to file ;
A0093402.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Trojan.PWS.Banker.6520;Deleted .;
A0093406.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Adware.Newweb.origin;Invalid path to file ;
A0093423.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Trojan.PWS.Banker.6520;Deleted .;
A0093428.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Adware.Newweb.origin;Invalid path to file ;
A0093445.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Trojan.PWS.Banker.6520;Deleted .;
A0093450.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP655;Adware.Newweb.origin;Invalid path to file ;
A0093485.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP656;Adware.Newweb.origin;Invalid path to file ;
A0093493.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP656;Trojan.PWS.Banker.6520;Deleted .;
A0093498.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP656;Adware.Newweb.origin;Invalid path to file ;
A0093522.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP657;Trojan.PWS.Banker.6520;Deleted .;
A0093547.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP658;Trojan.PWS.Banker.6520;Deleted .;
A0093565.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP658;Trojan.PWS.Banker.6520;Deleted .;
A0093570.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP658;Adware.Newweb.origin;Invalid path to file ;
A0093665.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP660;Adware.Newweb.origin;Invalid path to file ;
A0093683.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP660;Trojan.PWS.Banker.6520;Deleted .;
A0093688.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP660;Adware.Newweb.origin;Invalid path to file ;
A0093710.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Trojan.PWS.Banker.6520;Deleted .;
A0093724.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Adware.Newweb.origin;Invalid path to file ;
A0093731.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Trojan.PWS.Banker.6520;Deleted .;
A0093735.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Adware.Newweb.origin;Invalid path to file ;
A0094731.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Trojan.PWS.Banker.6520;Deleted .;
A0094735.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Adware.Newweb.origin;Invalid path to file ;
A0094759.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Trojan.PWS.Banker.6520;Deleted .;
A0094764.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP661;Adware.Newweb.origin;Invalid path to file ;
A0094784.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP662;Adware.Newweb.origin;Invalid path to file ;
A0094794.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP662;Trojan.PWS.Banker.6520;Deleted .;
A0094799.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP662;Adware.Newweb.origin;Invalid path to file ;
A0094845.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP663;Trojan.PWS.Banker.6520;Deleted .;
A0094884.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP663;Trojan.PWS.Banker.6520;Deleted .;
A0094900.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP663;Adware.Newweb.origin;Invalid path to file ;
A0095884.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0095889.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0096884.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0096889.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0096918.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0097906.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0097909.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0098904.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0098909.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0098919.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0098934.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0098938.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0098957.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0098962.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0099957.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0099961.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0099979.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0099988.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0099993.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0100011.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Cdn;Invalid path to file ;
A0100016.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0100021.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0101015.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0101020.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0102015.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0102020.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0102037.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Trojan.PWS.Banker.6520;Deleted .;
A0102042.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP664;Adware.Newweb.origin;Invalid path to file ;
A0102059.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Trojan.PWS.Banker.6520;Deleted .;
A0102064.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103059.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Trojan.PWS.Banker.6520;Deleted .;
A0103063.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103085.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103101.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Trojan.PWS.Banker.6520;Deleted .;
A0103106.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103124.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Trojan.PWS.Banker.6520;Deleted .;
A0103129.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103147.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Trojan.PWS.Banker.6520;Deleted .;
A0103152.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103169.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Trojan.PWS.Banker.6520;Deleted .;
A0103174.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP665;Adware.Newweb.origin;Invalid path to file ;
A0103191.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0103196.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0103214.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0103219.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0103237.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0103242.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0103259.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0103264.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0103287.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0103290.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0104285.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0104290.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0104311.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0104327.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0104332.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0105327.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0105332.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0105347.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Trojan.PWS.Banker.6520;Deleted .;
A0105352.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP666;Adware.Newweb.origin;Invalid path to file ;
A0105367.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP667;Trojan.PWS.Banker.6520;Deleted .;
A0105372.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP667;Adware.Newweb.origin;Invalid path to file ;
A0106379.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP667;Adware.Newweb.origin;Invalid path to file ;
A0106382.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Adware.Newweb.origin;Invalid path to file ;
A0107367.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Trojan.PWS.Banker.6520;Deleted .;
A0107371.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Adware.Newweb.origin;Invalid path to file ;
A0107391.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Adware.Newweb.origin;Invalid path to file ;
A0107413.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Adware.Newweb.origin;Invalid path to file ;
A0107431.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Trojan.PWS.Banker.6520;Deleted .;
A0107436.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP668;Adware.Newweb.origin;Invalid path to file ;
A0107456.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP670;Trojan.PWS.Banker.6520;Deleted .;
A0107457.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP670;Trojan.PWS.Banker.6520;Deleted .;
A0107473.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP670;Adware.Newweb.origin;Invalid path to file ;
A0107485.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP671;Adware.Newweb.origin;Invalid path to file ;
A0107496.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP671;Adware.Newweb.origin;Invalid path to file ;
A0108495.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP671;Adware.Newweb.origin;Invalid path to file ;
A0108514.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP672;Adware.Newweb.origin;Invalid path to file ;
A0109514.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP672;Adware.Newweb.origin;Invalid path to file ;
A0110514.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP672;Adware.Newweb.origin;Invalid path to file ;
A0110532.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP672;Adware.Newweb.origin;Invalid path to file ;
A0110551.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP673;Adware.Newweb.origin;Invalid path to file ;
A0110571.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP673;Adware.Newweb.origin;Invalid path to file ;
A0111571.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP673;Adware.Newweb.origin;Invalid path to file ;
A0111580.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP673;Adware.Newweb.origin;Invalid path to file ;
A0112580.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP673;Adware.Newweb.origin;Invalid path to file ;
A0112589.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP673;Adware.Newweb.origin;Invalid path to file ;
A0112611.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP674;Adware.Newweb.origin;Invalid path to file ;
A0113610.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP674;Adware.Newweb.origin;Invalid path to file ;
A0113650.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP674;Adware.Newweb.origin;Invalid path to file ;
A0113659.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP674;Adware.Newweb.origin;Invalid path to file ;
A0113681.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP675;Adware.Newweb.origin;Invalid path to file ;
A0114659.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP675;Adware.Newweb.origin;Invalid path to file ;
A0114784.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP676;Adware.Newweb.origin;Invalid path to file ;
A0114804.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP676;Adware.Newweb.origin;Invalid path to file ;
A0114822.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP676;Adware.Newweb.origin;Invalid path to file ;
A0114841.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP676;Adware.Newweb.origin;Invalid path to file ;
A0114862.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP676;Adware.Newweb.origin;Invalid path to file ;
A0114882.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP676;Adware.Newweb.origin;Invalid path to file ;
A0114902.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0114915.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0114948.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0114969.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0114987.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0115019.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0115037.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0115076.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP677;Adware.Newweb.origin;Invalid path to file ;
A0115079.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP678;Adware.Newweb.origin;Invalid path to file ;
A0115125.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP678;Adware.Newweb.origin;Invalid path to file ;
A0115149.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP678;Adware.Newweb.origin;Invalid path to file ;
A0115170.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP678;Adware.Newweb.origin;Invalid path to file ;
A0115189.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP678;Adware.Newweb.origin;Invalid path to file ;
A0115215.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP678;Adware.Newweb.origin;Invalid path to file ;
A0115230.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0115245.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0115264.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0116265.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0116295.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0116318.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;VBS.Generic.544;Deleted.;
A0116319.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;VBS.Generic.544;Deleted.;
A0116321.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0116338.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;VBS.Generic.544;Deleted.;
A0116339.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;VBS.Generic.544;Deleted.;
A0116342.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP679;Adware.Newweb.origin;Invalid path to file ;
A0116354.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP680;VBS.Generic.544;Deleted.;
A0116355.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP680;VBS.Generic.544;Deleted.;
A0116360.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP680;Adware.Newweb.origin;Invalid path to file ;
A0116365.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP681;VBS.Generic.544;Deleted.;
A0116366.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP681;VBS.Generic.544;Deleted.;
A0116368.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP681;Adware.Newweb.origin;Invalid path to file ;
A0116438.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP683;VBS.Generic.544;Deleted.;
A0116440.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP683;VBS.Generic.544;Deleted.;
A0116454.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP683;Adware.Newweb.origin;Invalid path to file ;
A0116456.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP684;VBS.Generic.544;Deleted.;
A0116457.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP684;VBS.Generic.544;Deleted.;
A0116461.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP685;VBS.Generic.544;Deleted.;
A0116462.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP685;VBS.Generic.544;Deleted.;
A0116522.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP685;Adware.Newweb.origin;Invalid path to file ;
A0116523.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;VBS.Generic.544;Deleted.;
A0116524.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;VBS.Generic.544;Deleted.;
A0116527.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Newweb.origin;Invalid path to file ;
A0116529.exe;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Trojan.PWS.Banker.6520;Deleted .;
A0116530.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Trojan.DownLoader.14937;Delete d.;
A0116531.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Trojan.DownLoader.14462;Delete d.;
A0116532.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Trojan.Spambot.2398;Deleted.;
A0116533.sys;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Cdn;Invalid path to file ;
A0116534.sys;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Trojan.StartPage.1672;Deleted. ;
A0116535.sys;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Trojan.Starter.108;Deleted.;
A0117338.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Newweb.origin;Invalid path to file ;
A0117363.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Newweb.origin;Invalid path to file ;
A0117382.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Newweb.origin;Invalid path to file ;
A0117397.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;VBS.Generic.544;Deleted.;
A0117406.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Newweb.origin;Invalid path to file ;
A0117429.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP686;Adware.Newweb.origin;Invalid path to file ;
A0117451.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP687;Adware.Newweb.origin;Invalid path to file ;
A0117464.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP687;Adware.Newweb.origin;Invalid path to file ;
A0117482.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP687;Adware.Newweb.origin;Invalid path to file ;
A0117496.vbs;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;VBS.Generic.544;Deleted.;
A0117498.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;Adware.Cdn;Invalid path to file ;
A0117499.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;Adware.Cdn;Invalid path to file ;
A0117500.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;Adware.Newweb.origin;Invalid path to file ;
A0117503.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;Adware.Cdn.origin;Invalid path to file ;
A0117508.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;Adware.Cdn;Invalid path to file ;
A0117509.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP688;Adware.Newweb.origin;Invalid path to file ;
A0117630.dll;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP689;Adware.Baidu.origin;Deleted.;
A0117650.sys;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP689;Trojan.NtRootKit.442;Deleted.;
A0117651.reg;C:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP689;Trojan.StartPage.1505;Deleted. ;
CnsMinKP.sys;C:\WINDOWS\system32\drivers;Adware.Cd n;Deleted.;
homereg111.reg;E:\WINDOWS;Trojan.Seeker.151;Delete d.;
American Babes-uninstall.exe;E:\WINDOWS\SYSTEM;Dialer.Ezdial;Dele ted.;
EGGCEngine.dll;E:\Program Files\Common Files\GMT;Adware.Gator;Deleted.;
EGIEProcess.dll;E:\Program Files\Common Files\GMT;Adware.Gator;Deleted.;
EGNSEngine.dll;E:\Program Files\Common Files\GMT;Adware.Gator;Deleted.;
GatorRes.dll;E:\Program Files\Common Files\GMT;Adware.Gator - read error;;
GMT.exe;E:\Program Files\Common Files\GMT;Adware.Gator.origin;Deleted.;
GatorStubSetup.exe;E:\Program Files\Common Files\GMT;Adware.Gator;Deleted.;
GUninstaller.exe;E:\Program Files\Common Files\GMT;Adware.Gator;Deleted.;
CMEIIAPI.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
CMESys.exe;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GAppMgr.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GController.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GDwldEng.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GIocl.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GIoclClient.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GMTProxy.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GObjs.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GStore.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
GStoreServer.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
Gtools.dll;E:\Program Files\Common Files\CMEII;Adware.Gator;Deleted.;
SaveNow.exe;E:\Program Files\SaveNow;Adware.SaveNow;Deleted.;
Uninst.exe;E:\Program Files\SaveNow;Adware.SaveNow;Deleted.;
email_update.exe;E:\Program Files\Acceleration Software\Anti-Virus;Probably DLOADER.Trojan;Deleted.;
eanth_update.exe;E:\Program Files\Acceleration Software\Anti-Virus;Probably DLOADER.Trojan;Deleted.;
PrecisionTime.exe;E:\Program Files\PrecisionTime;Adware.Gator;Deleted.;
DateManager.exe;E:\Program Files\Date Manager;Adware.Gator;Deleted.;
American Babes.EXE;E:\Dialers;Dialer.Ezdial;Deleted.;
04045281.FIL;E:\$VAULT$.AVG;Trojan.PWS.LDPinch;Del eted.;
04045500.FIL;E:\$VAULT$.AVG;Win32.HLLM.Reteras;Del eted.;
04045687.FIL;E:\$VAULT$.AVG;Adware.Gator;Deleted.;
04045796.FIL;E:\$VAULT$.AVG;Adware.Gator;Deleted.;
04045953.FIL;E:\$VAULT$.AVG;Adware.Gator;Deleted.;
04046296.FIL;E:\$VAULT$.AVG;Probably DLOADER.Trojan;Deleted.;
05421656.FIL;E:\$VAULT$.AVG;Trojan.PWS.LDPinch;Del eted.;
05422015.FIL;E:\$VAULT$.AVG;Win32.HLLM.Reteras;Del eted.;
05422046.FIL;E:\$VAULT$.AVG;Adware.Gator;Deleted.;
05422062.FIL;E:\$VAULT$.AVG;Adware.Gator;Deleted.;
A0117658.reg;E:\System Volume Information\_restore{F7C43BAA-9F0B-4DB5-A500-C808BEDF3C9E}\RP689;Trojan.Seeker.151;Deleted.;

Combofix Log:
ComboFix 07-12-09.1 - user 2007-12-12 22:06:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT 13:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-12 20:06 . 2007-12-12 20:06 <DIR> d-------- C:\Documents and Settings\user\DoctorWeb
2007-12-10 13:10 . 2007-12-12 13:57 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2007-12-10 13:10 . 2007-12-10 13:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-10 13:09 . 2007-12-10 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 13:09 . 2007-12-10 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-10 13:07 . 2007-12-10 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 22:21 . 2007-12-09 22:21 <DIR> d-------- C:\Documents and Settings\user\Incomplete
2007-12-09 22:21 . 2007-12-10 00:05 <DIR> d-------- C:\Documents and Settings\user\Application Data\LimeWire
2007-12-09 22:20 . 2007-12-09 22:20 <DIR> d-------- C:\Program Files\Java
2007-12-09 22:20 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-09 22:19 . 2007-12-09 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-09 17:52 . 2007-12-09 17:52 244 --ah----- C:\sqmnoopt02.sqm
2007-12-09 17:52 . 2007-12-09 17:52 232 --ah----- C:\sqmdata02.sqm
2007-12-09 09:44 . 2007-12-09 09:44 62,464 --a------ C:\WINDOWS\system32\drivers\phldn.sys
2007-12-01 16:47 . 2007-12-01 16:47 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-16 15:22 . 2007-11-16 15:22 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-01 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-15 21:37 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-11-15 21:09 155 ----a-w C:\start.bat
2004-10-11 07:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 02:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 01:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 01:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 00:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 00:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-18 23:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-18 23:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-18 23:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-18 23:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-18 23:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-18 23:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-18 23:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-18 23:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-18 23:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-18 23:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-18 23:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-18 23:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-18 23:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-18 23:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-18 23:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-18 23:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-18 23:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2000-05-01 16:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 11:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"ILO_Office_Manager"="IntEdReg.exe" [2002-10-15 12:30 C:\WINDOWS\system32\intedreg.exe]
"eMuleAutoStart"="C:\emule\eMule.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 21:31 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10]
"SMSERIAL"="sm56hlpr.exe" [2004-01-28 23:42 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-10 15:50]
"SNPMI03"="C:\WINDOWS\vsnpmi03.exe" [2003-08-08 14:58]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 03:43]
"Intense Registry Service"="IntEdReg.exe" [2002-10-15 12:30 C:\WINDOWS\system32\intedreg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 13:45]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-23 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-10 13:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-10 13:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~ 1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R3 snpmi03;VideoCAM NB 300;C:\WINDOWS\system32\DRIVERS\snpmi03.sys
S3 baxevr36;baxevr36;\??\C:\WINDOWS\system32\drivers\ baxevr36.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys
S3 nowpuk95;nowpuk95;\??\C:\WINDOWS\system32\drivers\ nowpuk95.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-06-04 01:23:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 08:49:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll
.
************************************************** ************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 22:12:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-12-12 22:13:23 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-11 18:07
.
--- E O F ---

HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:01 p.m., on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\vsnpmi03.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [eMuleAutoStart] C:\emule\eMule.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.qmb.co.nz
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRD.../heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7527 bytes

Neal · #6 (**permalink**) 11-12-2007, 09:03 PM

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below(NOT THE WORD QUOTE) to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\vsnpmi03.exe
C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys
C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll

Drivers to unload:
C:\WINDOWS\system32\drivers\phldn.sys
C:\WINDOWS\system32\drivers\ nowpuk95.sys
C:\WINDOWS\system32\drivers\ baxevr36.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

ahon371 · #7 (**permalink**) 12-12-2007, 10:06 AM

Dear Neal,

Avenger Log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\doodpvem

*******************

Script file located at: \??\C:\WINDOWS\system32\cffafyoh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\vsnpmi03.exe deleted successfully.

Could not open file C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys for deletion
Deletion of file C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys failed!

Could not process line:
C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys
Status: 0xc000003a

File C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll not found!
Deletion of file C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll failed!

Could not process line:
C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll
Status: 0xc0000034

HiJackThis Log:

Registry key \Registry\Machine\System\CurrentControlSet\Service s\C:\WINDOWS\system32\drivers\phldn.sys not found!
Unload of driver C:\WINDOWS\system32\drivers\phldn.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\phldn.sys
Status: 0xc0000034

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:32 p.m., on 13/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Intense Language Office\COMMON\Offman.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.cn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SNPMI03] C:\WINDOWS\vsnpmi03.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [eMuleAutoStart] C:\emule\eMule.exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.qmb.co.nz
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C7E002D6-324B-4500-883D-84B620FD8640} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRD.../heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7591 bytes

ahon371 · #8 (**permalink**) 12-12-2007, 10:11 AM

Dear Neal:

is it a virus symtom or just my keyboard, whenever i type "h" it will appear as "gh"; "jk" becomes "jk"; "n" becomes "bn" etc, this happens after i ran the avenger software, thank for your regard!

Neal · #9 (**permalink**) 12-12-2007, 11:23 PM

No idea why your keyboard is doing that. Avenger makes backups and if something was deleted that should not of it can be restored.

Avenger deleted one file that was a virus, the others were not found or could not be opened.

No drivers were deleted that were bad and you even indicated them in your first post as being detected as bad. The other wasn't there.

These two did not show up on avenger results

C:\WINDOWS\system32\drivers\ nowpuk95.sys
C:\WINDOWS\system32\drivers\ baxevr36.sys

Maybe you did not post the entire results from Avenger.

So not sure what that is about, we are not done yet.

This could not be opened so let's scan it to see what the heck that is:

C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Re-hide after we are done

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

If that one is to busy here is another option:

http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html

New combofix log please.

ahon371 · #10 (**permalink**) 13-12-2007, 08:11 AM

dear neal,

tHANKs for continue being patience and helpful

it SAid the path dOEs not exist, pleaSE VERIFy tHE CORRECt PAtH.

my keboard iS NO FUNCIONING PROPERLy

i am only uSING COPy ANd PaStE method to wRItE some letter
I can no longer dIsplay "y""t""d", much worSE tHAN LAst night
can't control capital or SMALL LEttER

let me give you my avenger logS AGAIN ANd ALso combotfix log
HOPFULLy CAN FINd some clue

avenger logS

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\gnoeecmd

*******************

Script file located at: xypfxesk

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

combotfix log

ComboFix 07-12-09.1 - user 2007-12-14 19:52:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT 13:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-12 20:06 . 2007-12-12 20:06 <DIR> d-------- C:\Documents and Settings\user\DoctorWeb
2007-12-10 13:10 . 2007-12-14 10:22 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7
2007-12-10 13:10 . 2007-12-10 13:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-10 13:09 . 2007-12-10 13:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 13:09 . 2007-12-10 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-10 13:07 . 2007-12-10 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 22:21 . 2007-12-09 22:21 <DIR> d-------- C:\Documents and Settings\user\Incomplete
2007-12-09 22:21 . 2007-12-10 00:05 <DIR> d-------- C:\Documents and Settings\user\Application Data\LimeWire
2007-12-09 22:20 . 2007-12-09 22:20 <DIR> d-------- C:\Program Files\Java
2007-12-09 22:20 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-09 22:19 . 2007-12-09 22:19 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-09 17:52 . 2007-12-09 17:52 244 --ah----- C:\sqmnoopt02.sqm
2007-12-09 17:52 . 2007-12-09 17:52 232 --ah----- C:\sqmdata02.sqm
2007-12-09 09:44 . 2007-12-09 09:44 62,464 --a------ C:\WINDOWS\system32\drivers\phldn.sys
2007-12-01 16:47 . 2007-12-01 16:47 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-16 15:22 . 2007-11-16 15:22 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-01 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-15 21:37 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-11-15 21:09 155 ----a-w C:\start.bat
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2004-10-11 07:46 205,312 ----a-w C:\Program Files\ltefx13n.dll
2004-01-19 02:31 153,600 ----a-w C:\Program Files\ltfil13n.DLL
2004-01-19 01:31 27,648 ----a-w C:\Program Files\lfiff13n.dll
2004-01-19 01:31 20,480 ----a-w C:\Program Files\lfCUT13n.dll
2004-01-19 00:31 453,120 ----a-w C:\Program Files\ltkrn13n.dll
2004-01-19 00:12 89,600 ----a-w C:\Program Files\Lfcgm13n.dll
2004-01-18 23:49 278,016 ----a-w C:\Program Files\LFJ2K13n.dll
2004-01-18 23:49 180,736 ----a-w C:\Program Files\Lfpng13n.dll
2004-01-18 23:47 76,800 ----a-w C:\Program Files\Lfwmf13n.dll
2004-01-18 23:47 509,440 ----a-w C:\Program Files\LFCMW13n.dll
2004-01-18 23:45 420,352 ----a-w C:\Program Files\LFCMP13n.DLL
2004-01-18 23:44 143,872 ----a-w C:\Program Files\lftif13n.dll
2004-01-18 23:36 65,536 ----a-w C:\Program Files\Lfpct13n.dll
2004-01-18 23:36 56,832 ----a-w C:\Program Files\lfpsd13n.dll
2004-01-18 23:36 26,624 ----a-w C:\Program Files\lfpcx13n.dll
2004-01-18 23:36 19,968 ----a-w C:\Program Files\lfpcd13n.dll
2004-01-18 23:36 18,944 ----a-w C:\Program Files\lfmsp13n.dll
2004-01-18 23:35 20,992 ----a-w C:\Program Files\lfimg13n.dll
2004-01-18 23:35 18,944 ----a-w C:\Program Files\lfmac13n.dll
2004-01-18 23:34 31,744 ----a-w C:\Program Files\lfclp13n.dll
2004-01-18 23:34 30,208 ----a-w C:\Program Files\lfbmp13n.dll
2004-01-18 23:33 444,928 ----a-w C:\Program Files\ltimg13n.dll
2004-01-18 23:32 265,216 ----a-w C:\Program Files\LTDIS13n.dll
2000-05-01 16:17 212,480 ----a-w C:\Program Files\PCDLIB32.DLL
1999-11-18 11:00 284,032 ----a-w C:\Program Files\XceedZip.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-11_18.06.56.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-10 23:47:27 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\advpack.dll
+ 2007-10-10 23:47:27 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll
+ 2007-10-10 23:47:27 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\extmgr.dll
+ 2007-10-10 23:47:27 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\icardie.dll
+ 2007-10-10 08:16:47 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ie4uinit.exe
+ 2007-10-10 23:47:27 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakeng.dll
+ 2007-10-10 23:47:27 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieaksie.dll
+ 2007-10-10 05:47:20 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:28:12 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dat
+ 2007-10-10 23:47:27 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dll
+ 2007-10-10 23:47:27 388,096 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iedkcs32.dll
+ 2007-10-10 23:47:27 6,067,200 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieframe.dll
+ 2007-10-10 23:47:27 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iernonce.dll
+ 2007-10-10 23:47:27 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iertutil.dll
+ 2007-10-10 08:16:47 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieudinit.exe
+ 2007-10-10 08:16:56 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
+ 2007-10-10 23:47:28 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\jsproxy.dll
+ 2007-10-10 23:47:28 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeeds.dll
+ 2007-10-10 23:47:28 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeedsbs.dll
+ 2007-10-30 23:48:49 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
+ 2007-10-10 23:47:28 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtmled.dll
+ 2007-10-10 23:47:28 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msrating.dll
+ 2007-10-10 23:47:28 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mstime.dll
+ 2007-10-10 23:47:28 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\occache.dll
+ 2007-10-10 23:47:28 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\url.dll
+ 2007-10-10 23:47:29 1,162,240 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll
+ 2007-10-10 23:47:29 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\webcheck.dll
+ 2007-10-10 23:47:29 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 10:04:34 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 10:04:34 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10

21 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 10:04:39 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 10:04:41 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 10:04:41 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 10:04:41 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 10:04:42 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 10:04:42 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 10:04:43 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
- 2007-08-20 10:04:34 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:55:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2007-08-20 10:04:34 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:55:51 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 10:04:34 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 10:04:34 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:55:51 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-20 10:04:34 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-10-10 23:55:51 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-08-17 10:20:54 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 10:04:35 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 10:04:35 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-08-20 10:04:38 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:55:55 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-20 10:04:38 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:55:55 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-17 10:20:54 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-08-17 10

21 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 10:59:52 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 10:04:39 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-08-20 10:04:39 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04:39 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 10:04:41 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04:41 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:55:58 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 10:04:42 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:55:59 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 10:04:42 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:55:59 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-29 22:43:03 1,287,680 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 10:04:42 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:55:59 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 10:04:42 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23

00 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 10:04:42 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23

00 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 10:04:43 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23

00 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-10-18 09:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2007-10-27 04:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2007-08-20 10:04:34 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:55:51 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 10:04:34 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:55:51 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 10:04:34 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:55:51 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:20:54 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 10:59:40 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 10:04:34 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:55:51 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 10:04:35 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:55:51 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 10:04:35 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:55:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 10:04:35 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:55:52 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 10:04:37 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:55:54 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 10:04:38 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:55:55 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 10:04:38 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:55:55 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:20:54 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 10:04:39 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:55:56 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 10:04:39 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:55:56 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 10:04:39 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:55:56 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 10:04:41 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:42:28 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 10:04:41 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:55:58 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 10:04:41 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:55:58 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 10:04:42 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:55:59 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 10:04:42 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:55:59 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2005-08-30 03:54:26 1,287,168 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 10:04:42 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:55:59 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 10:04:42 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23

00 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 10:04:42 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23

00 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 10:04:43 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23

00 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
- 2006-10-18 09:47:18 222,208 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 04:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-12-14 06:57:40 40,960 ----a-w C:\WINDOWS\TEMP\rtdrvmon.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"ILO_Office_Manager"="IntEdReg.exe" [2002-10-15 12:30 C:\WINDOWS\system32\intedreg.exe]
"eMuleAutoStart"="C:\emule\eMule.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 21:31 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10]
"SMSERIAL"="sm56hlpr.exe" [2004-01-28 23:42 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-10 15:50]
"SNPMI03"="C:\WINDOWS\vsnpmi03.exe" []
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 03:43]
"Intense Registry Service"="IntEdReg.exe" [2002-10-15 12:30 C:\WINDOWS\system32\intedreg.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 13:45]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-23 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-10 13:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-10 13:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~ 1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R3 snpmi03;VideoCAM NB 300;C:\WINDOWS\system32\DRIVERS\snpmi03.sys
S3 baxevr36;baxevr36;\??\C:\WINDOWS\system32\drivers\ baxevr36.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\user\LOCALS~1\Temp \krdpdre.sys
S3 nowpuk95;nowpuk95;\??\C:\WINDOWS\system32\drivers\ nowpuk95.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-06-04 01:23:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-14 06:49:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\user\LOCALS~1\Temp\ojdgeqmmCFEBM77.dll
.
************************************************** ************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 19:57:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-12-14 19:59:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-12 22:13
C:\ComboFix3.txt ... 2007-12-11 18:07
.
--- E O F ---