Home   News  Product reviews  Website reviews  Forums   Competitions  Subscribe 
Search
You are not logged in.
Login | New user registration 		Main Index | Search | Active Topics | Who's Online | FAQ / HELP

Security >> HijackThis logs help and analysis
Previous topic Previous   View all topics Index   Next topic Next   Threaded Mode Threaded  
 |  Print Topic
Jump to first unread post. Pages: 1 | 2 | >> (show all)
God_Is_The_Light
new user


Reg'd: Tue
Posts: 13
Spyware has infected my computer and I need help to remove it.
      #391605 - Tue Apr 15 2008 07:24 PM
Reply to this post Reply   Reply to this post Quote  


On 4/13/08 while trying to download a image converter program from the internet I downloaded some type of spyware programs on my computer. After the download I first noticed that my internet explorer window at the top was unreadable,(the words turned into little boxes) and my homepage was changed to some spyware removal site. Also the spyware keeps open multipule ie7 browser windows going to spyware removal sites. I also had 3 desktop icons "error cleaner, Privacy Protector, and Spyware & M Protection. I ran my spyware removal program(Defender Pro 15 in 1) and did a complete scan and it removed the spyware files. but it is still on my computer. In the bottom right hand corner of my computer there is a red circle with an X in it flashing and a yellow triangle and messages keep appering saying "system alert" and "Security warning.
I came upon this sit and saw someone name BriCat that helped a user with a similar problem. So I joined this orum to get some HELP. i downloaded the program hijackthis and ran a system check and saved the log. I am pasting below. I look forward to getting some help soon. Thank you all so much.

======================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:39 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad\klivyxeh.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\sloxafkp.exe
C:\Program Files\Defender Pro\Defender Pro Uninstaller\UIWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: sgoblxtm - {57ABA3CE-E927-4C81-BE2E-E20CAEC6645F} - C:\WINDOWS\sgoblxtm.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Sound Card Driver] C:\My Games\LIBERTY-F82BA2D\svchost.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKLM\..\Run: [381dc66f] rundll32.exe "C:\WINDOWS\system32\hhbtlmht.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [zxcrqdht] C:\WINDOWS\system32\sloxafkp.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Defender Pro\Defender Pro Uninstaller\UIWatcher.exe
O4 - HKLM\..\Policies\Explorer\Run: [kEU1gkL26I] C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad\klivyxeh.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1204853167340
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/...ows-i586-jc.cab
O21 - SSODL: dsktbwfe - {7CA33675-46B4-4D72-9588-CAF2A0A63423} - C:\WINDOWS\dsktbwfe.dll
O21 - SSODL: ogxtsepr - {CA5E9037-65E9-4D9C-AC99-F99C6A3A6A79} - C:\WINDOWS\ogxtsepr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7425 bytes

Post Extras: Print Post   Remind Me!   Notify Moderator  
bricatModerator
HijackThis Helper


Reg'd: Wed
Posts: 28646
Loc: belfast
Re: Spyware has infected my computer and I need help to remove it. [Re: God_Is_The_Light]
      #391641 - Tue Apr 15 2008 11:57 PM
Reply to this post Reply   Reply to this post Quote  

Welcome to the Webuser forum.

Please download ComboFix from either of these two locations

BleepingComputerComboFix
geeks to go combofix

And save it to your DESKTOP.

* Double click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply

Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Post back with the log from ComboFix and a new HJT log please.

--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.

You don't stop laughing when you get old, you get old when you stop laughing!

Post Extras: Print Post   Remind Me!   Notify Moderator  
God_Is_The_Light
new user


Reg'd: Tue
Posts: 13
Re: Spyware has infected my computer and I need help to remove it. [Re: bricat]
      #391652 - Wed Apr 16 2008 02:29 AM
Reply to this post Reply   Reply to this post Quote  

Thank you Brian. Your help is very appreciated. Here are the Combofix and New Hijackthis Logs you requested for review. Everything apprears to be run as normal now. Except I did get a popup on the screen for a spyware web sight and there is still a tool bar on my IE7 online browser page with the name "sgoblxtm" it has 4 icons (remove popups/scan spyware/security test/and spam protection. I right clicked and unchecked it in the tool bar menu . But all the other things appear to be gone. Let me know If I need to do anything else.

=====================================================

ComboFix 08-04-14.2 - William A. Hudson 2008-04-15 17:52:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -7:00]
Running from: C:\Documents and Settings\William A. Hudson\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Online Security Test.url
C:\Documents and Settings\William A. Hudson\Desktop\Error Cleaner.url
C:\Documents and Settings\William A. Hudson\Desktop\Privacy Protector.url
C:\Documents and Settings\William A. Hudson\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\William A. Hudson\Desktopblackbird.jpg
C:\Documents and Settings\William A. Hudson\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\William A. Hudson\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\William A. Hudson\Desktopfilemanagerclient.exe
C:\Documents and Settings\William A. Hudson\Desktopfkwp1.5.exe
C:\Documents and Settings\William A. Hudson\Desktopfkwp2.0.exe
C:\Documents and Settings\William A. Hudson\Desktopfwebd.exe
C:\Documents and Settings\William A. Hudson\DesktopFWebdEditor.exe
C:\Documents and Settings\William A. Hudson\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\William A. Hudson\Desktopvirii
C:\Documents and Settings\William A. Hudson\Favorites\Error Cleaner.url
C:\Documents and Settings\William A. Hudson\Favorites\Privacy Protector.url
C:\Documents and Settings\William A. Hudson\Favorites\Spyware&Malware Protection.url
C:\Program Files\Common Files\Delsim
C:\Program Files\Common Files\Delsim\uninstall.bat
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\drivecleaner free\laststat.dat
C:\Program Files\DefenderPro AntiSpy\AntiSpy\Def\CnsMin.dsc
C:\Program Files\DefenderPro AntiSpy\AntiSpy\Def\CnsMin.prf
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\video access activex object
C:\Program Files\video access activex object\ot.ico
C:\Program Files\video access activex object\ts.ico
C:\Program Files\video access activex object\uninst.exe
C:\WINDOWS\a.bat
C:\WINDOWS\bdn.com
C:\WINDOWS\cookies.ini
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\efcDUmjj.dll
C:\WINDOWS\system32\hhbtlmht.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnlmJAR.dll
C:\WINDOWS\system32\RAJmlnnn.ini
C:\WINDOWS\system32\RAJmlnnn.ini2
C:\WINDOWS\system32\ssqPigGw.dll
C:\WINDOWS\system32\thmltbhh.ini
C:\WINDOWS\system32\xbuapxmv.ini
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winhelp.ini
C:\WINDOWS\winsystem.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 10:38 . 2008-04-15 10:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 09:42 . 2008-04-15 09:43 2,855 --a--c--- C:\Documents and Settings\William A. Hudson\DesktopTrojan.Win32.BlackBird.PIF
2008-04-15 09:38 . 2008-04-15 09:38 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-15 02:46 . 2008-04-15 02:46 3,648 --a--c--- C:\WINDOWS\system32\rsmjacyj.dll
2008-04-14 16:11 . 2008-04-14 16:13 <DIR> d-------- C:\Program Files\Defender Pro
2008-04-14 12:59 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk8
2008-04-14 04:12 . 2008-04-15 13:13 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\TmpRecentIcons
2008-04-14 03:47 . 2008-04-14 03:47 37 --a------ C:\WINDOWS\omniASsdk.dat
2008-04-14 03:46 . 2008-04-14 03:46 <DIR> d-------- C:\WINDOWS\AntiSpy
2008-04-14 03:13 . 2008-04-14 23:59 <DIR> d-------- C:\Program Files\DefenderPro AntiSpy
2008-04-14 03:13 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk7
2008-04-14 03:08 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk6
2008-04-14 03:04 . 1998-06-16 16:45 77,878 --a------ C:\WINDOWS\system32\msvcirt.dll.bk5
2008-04-14 02:57 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk4
2008-04-14 02:54 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk3
2008-04-14 02:53 . 1998-06-16 16:45 77,878 --a------ C:\WINDOWS\system32\msvcirt.dll.bk2
2008-04-14 02:44 . 2008-04-14 02:44 3,648 --a--c--- C:\WINDOWS\system32\rjyltlvp.dll
2008-04-14 02:37 . 2008-04-14 02:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad
2008-04-14 02:37 . 2008-04-13 23:39 217,088 --a------ C:\WINDOWS\dsktbwfe.dll
2008-04-14 02:37 . 2008-04-13 23:39 212,992 --a------ C:\WINDOWS\nslbvxpgtkn.dll
2008-04-14 02:37 . 2008-04-13 23:39 172,032 --a------ C:\WINDOWS\ogxtsepr.dll
2008-04-14 02:37 . 2008-04-13 23:39 151,552 --a------ C:\WINDOWS\sgoblxtm.dll
2008-04-14 02:37 . 2008-04-14 02:37 106,496 --a------ C:\WINDOWS\system32\sloxafkp.exe
2008-04-14 02:37 . 2008-04-13 23:39 81,920 --a------ C:\WINDOWS\spnkfwad.exe
2008-04-14 02:21 . 2008-04-14 03:03 <DIR> d-------- C:\Program Files\ImageConverter Plus
2008-04-13 21:30 . 2008-04-14 01:46 <DIR> d----c--- C:\VideoFiles
2008-04-13 21:18 . 2008-04-13 21:18 <DIR> d-------- C:\Program Files\AliveMedia
2008-04-13 21:18 . 2002-05-23 20:40 110,080 --a------ C:\WINDOWS\system32\nLame.dll
2008-04-13 21:18 . 2001-06-23 21:20 23,040 --a------ C:\WINDOWS\system32\auth.dll
2008-04-13 21:12 . 2008-04-14 06:49 <DIR> d----c--- C:\DVDMovie
2008-04-13 21:06 . 2008-04-13 21:21 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-04-13 21:05 . 2008-04-13 21:05 <DIR> d-------- C:\Program Files\AoA DVD Ripper
2008-04-13 21:05 . 2008-04-13 21:05 3,082 --a------ C:\WINDOWS\system32\affv9553p6now.sys
2008-04-13 20:51 . 2008-04-13 20:51 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\dvdcss
2008-04-13 20:49 . 2008-04-13 20:49 <DIR> d-------- C:\Program Files\ImTOO
2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d----c--- C:\Documents and Settings\WILLIA~1\LOCALS~1
2008-04-13 20:28 . 2008-04-13 20:28 <DIR> d----c--- C:\Documents and Settings\WILLIA~1
2008-04-13 20:28 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-04-13 20:28 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-04-13 19:34 . 2008-04-13 19:45 <DIR> d----c--- C:\iSofterOutput
2008-04-13 19:31 . 2008-04-13 19:31 <DIR> d-------- C:\Program Files\iSofter
2008-04-13 19:31 . 2007-02-06 15:06 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-04-13 19:31 . 2007-02-06 15:06 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2008-04-13 19:31 . 2007-02-06 15:06 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2008-04-13 19:31 . 2007-02-06 15:06 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-04-13 19:31 . 2007-02-06 15:06 200,704 --a------ C:\WINDOWS\system32\dtu100.dll
2008-04-13 19:31 . 2007-02-06 15:06 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2008-04-13 19:31 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2008-04-10 06:28 . 2008-04-11 11:35 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-04-10 06:28 . 2008-04-14 03:02 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\Audacity
2008-04-09 23:38 . 2008-04-09 23:38 <DIR> d-------- C:\Program Files\MyPodcast Recorder
2008-04-09 18:23 . 2008-04-09 18:23 <DIR> d-------- C:\Program Files\Audacity
2008-04-09 00:05 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-08 23:55 . 2008-04-08 23:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-08 16:21 . 2008-04-08 16:21 66 --a------ C:\WINDOWS\system32\IPCROTIDE.SYS
2008-04-08 16:20 . 2008-04-08 16:21 79 --a------ C:\WINDOWS\iPC.ini
2008-04-08 11:39 . 2008-04-13 01:49 48 --a------ C:\WINDOWS\.prj
2008-04-08 11:16 . 2008-04-08 11:43 <DIR> d-------- C:\Program Files\PageBreeze
2008-04-08 11:16 . 2005-01-24 12:39 503,808 --a------ C:\WINDOWS\system32\ChilkatFTPx.dll
2008-04-08 11:16 . 1998-06-24 00:00 203,576 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-04-08 11:16 . 1998-06-18 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2008-04-08 11:16 . 1999-05-15 00:24 97,280 --a------ C:\WINDOWS\system32\vspell32.ocx
2008-04-08 11:16 . 1998-11-18 11:40 89,600 --a------ C:\WINDOWS\system32\Leocx32.ocx
2008-04-08 11:16 . 1998-11-22 14:23 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2008-04-08 11:16 . 1997-02-24 17:44 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2008-04-08 11:16 . 2008-04-14 23:49 434 --a------ C:\WINDOWS\pagebreeze.ini
2008-04-08 11:16 . 2008-04-08 11:16 44 --a------ C:\WINDOWS\formbreeze.ini
2008-04-06 16:19 . 2008-04-14 18:30 <DIR> d-------- C:\Program Files\Celtx
2008-04-06 16:19 . 2008-04-06 16:19 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\Greyfirst
2008-04-01 20:10 . 2004-07-30 12:06 28,672 --a------ C:\WINDOWS\hookdllX.dll
2008-04-01 20:04 . 2008-04-01 20:04 <DIR> d-------- C:\Program Files\Lexmark_7100 Series
2008-04-01 20:03 . 2008-04-01 20:11 11,916 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-04-01 20:01 . 2005-01-20 10:36 1,478 -ra------ C:\WINDOWS\system32\lxbx.loc
2008-04-01 20:00 . 2004-11-09 07:27 65,536 --a------ C:\WINDOWS\system32\lxbxcfg.dll
2008-04-01 19:50 . 2008-04-01 19:50 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\7100Series
2008-04-01 19:43 . 2008-04-01 19:43 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\WINDOWS
2008-04-01 19:35 . 2008-04-01 20:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\7100Series
2008-04-01 19:34 . 2008-04-01 20:11 <DIR> d-------- C:\Program Files\Lexmark 7100 Series
2008-04-01 13:51 . 2008-04-05 17:34 <DIR> d----c--- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-04-01 13:51 . 2008-04-13 21:21 <DIR> d----c--- C:\Temp
2008-03-31 17:09 . 2008-03-31 17:09 <DIR> d-------- C:\WINDOWS\system32\New Folder
2008-03-31 17:02 . 2004-08-04 05:00 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-03-31 17:02 . 2004-08-04 05:00 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-03-31 00:39 . 2008-03-31 00:39 <DIR> d-------- C:\Program Files\detest5
2008-03-31 00:39 . 2002-12-30 00:39 114 --------- C:\WINDOWS\de04ch5.dat
2008-03-30 15:52 . 2008-03-30 15:52 <DIR> d-------- C:\WINDOWS\Sun
2008-03-30 15:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-30 15:49 . 2008-03-30 15:50 <DIR> d-------- C:\Program Files\Java
2008-03-27 02:28 . 2008-03-27 02:28 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Profiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 19:58 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-14 02:22 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Apple Computer
2008-04-14 02:20 --------- d-----w C:\Program Files\QuickTime
2008-04-06 19:02 --------- d-----w C:\Program Files\Lx_cats
2008-04-02 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 00:16 382 ----a-w C:\Program Files\Shortcut to Program Files.lnk
2008-03-27 08:58 --------- d-----w C:\Program Files\Yahoo!
2008-03-23 23:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 20:14 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Amazon
2008-03-14 20:11 --------- d-----w C:\Program Files\Amazon
2008-03-14 18:59 --------- d-----w C:\Program Files\Real
2008-03-14 18:28 --------- dc----w C:\Documents and Settings\Administrator\Application Data\7100Series
2008-03-14 18:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Napster
2008-03-14 18:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\BVRP Software
2008-03-14 18:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-03-14 18:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-14 18:22 --------- d-----w C:\Program Files\EPSON
2008-03-14 18:21 --------- d-----w C:\Program Files\OfficeUpdate11
2008-03-13 04:39 --------- d-----w C:\Program Files\Unlocker
2008-03-10 18:50 --------- d-----w C:\Program Files\iTunes
2008-03-10 18:49 --------- d-----w C:\Program Files\iPod
2008-03-10 18:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-10 18:48 --------- d-----w C:\Program Files\Bonjour
2008-03-10 18:46 --------- d-----w C:\Program Files\Apple Software Update
2008-03-10 18:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-10 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-08 11:04 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-07 02:27 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Desktopicon
2008-03-07 00:04 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Media Player Classic
2008-03-06 23:35 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-06 23:25 --------- d-----w C:\Program Files\Decoder
2008-03-06 23:14 --------- d-----w C:\Program Files\AVSMedia
2008-03-06 23:03 --------- d-----w C:\Program Files\DivX
2008-03-06 23:01 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\DivX
2008-03-06 01:04 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\MySpace
2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-02-21 02:05 129,784 ----a-w C:\WINDOWS\system32\PxAFS.DLL
2008-02-21 02:03 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 10:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-08-12 04:13 92,064 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmmdm.sys
2007-08-12 04:13 9,232 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmmdfl.sys
2007-08-12 04:13 79,328 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmserd.sys
2007-08-12 04:13 66,656 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmbus.sys
2007-08-12 04:13 6,208 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmcmnt.sys
2007-08-12 04:13 5,936 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmwhnt.sys
2007-08-12 04:13 4,048 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmcr.sys
2007-08-12 04:13 25,600 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\usbsermptxp.sys
2007-08-12 04:13 22,768 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\usbsermpt.sys
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET6F.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET1B0.tmp
2005-12-15 19:03 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2000-01-01 08:39 271 --sh--w C:\Program Files\desktop.ini
2000-01-01 08:39 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97EBE3CC-10A7-4619-B127-9B5D4FA476A8}]
2008-04-13 23:39 212992 --a------ C:\WINDOWS\nslbvxpgtkn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{57ABA3CE-E927-4C81-BE2E-E20CAEC6645F}"= "C:\WINDOWS\sgoblxtm.dll" [2008-04-13 23:39 151552]

[HKEY_CLASSES_ROOT\clsid\{57aba3ce-e927-4c81-be2e-e20caec6645f}]
[HKEY_CLASSES_ROOT\sgoblxtm.1]
[HKEY_CLASSES_ROOT\TypeLib\{CBA0A72A-C5B0-47F8-9BD7-307B7708A58D}]
[HKEY_CLASSES_ROOT\sgoblxtm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-14 14:09 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"zxcrqdht"="C:\WINDOWS\system32\sloxafkp.exe" [2008-04-14 02:37 106496]
"UIWatcher"="C:\Program Files\Defender Pro\Defender Pro Uninstaller\UIWatcher.exe" [2004-05-24 20:04 519680]
"uaextvrz"="C:\WINDOWS\system32\lwrkjolo.exe" [2008-04-15 18:10 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-02-29 22:10 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-10 11:40 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 08:08 69632]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 02:43 196608]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53 286720]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 06:24 61440]
"Sound Card Driver"="C:\My Games\LIBERTY-F82BA2D\svchost.exe" [ ]
"KAVPersonal50"="C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" [2005-10-21 02:21 387687]
"LaunchAntiSpy"="C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe" [2007-09-05 04:06 1630208]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 1.9.118.lnk - C:\Program Files\OpenOffice.org 1.9.118\program\quickstart.exe [2005-06-21 21:39:12 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"kEU1gkL26I"= C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad\klivyxeh.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= <a href="file:///C:\WINDOWS\privacy_danger\index.htm" target="_blank">file:///C:\WINDOWS\privacy_danger\index.htm</a>
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcDUmjj]
efcDUmjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\Defender Pro\\Defender Pro Anti-Virus\\kav.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-10-03 07:59]
R3 atirage;atirage;C:\WINDOWS\system32\DRIVERS\atiragem.sys [2001-08-17 05:48]
R3 GigNIC;NDIS5.1 Miniport Driver for Belkin Gigabit Desktop Card;C:\WINDOWS\system32\DRIVERS\GigNIC.sys [2004-03-19 18:21]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 06:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 09:11:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 18:06:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\lwrkjolo.exe 106496 bytes executable


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
.
**************************************************************************
.
Completion time: 2008-04-15 18:20:15 - machine was rebooted [William A. Hudson]
ComboFix-quarantined-files.txt 2008-04-16 01:18:54

Pre-Run: 1,475,772,416 bytes free
Post-Run: 1,783,644,160 bytes free
.
2008-04-15 15:26:45 --- E O F ---


===============================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:38 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad\klivyxeh.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\lwrkjolo.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: DVA Storm - {97EBE3CC-10A7-4619-B127-9B5D4FA476A8} - C:\WINDOWS\nslbvxpgtkn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: sgoblxtm - {57ABA3CE-E927-4C81-BE2E-E20CAEC6645F} - C:\WINDOWS\sgoblxtm.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Sound Card Driver] C:\My Games\LIBERTY-F82BA2D\svchost.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [zxcrqdht] C:\WINDOWS\system32\sloxafkp.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Defender Pro\Defender Pro Uninstaller\UIWatcher.exe
O4 - HKCU\..\Run: [uaextvrz] C:\WINDOWS\system32\lwrkjolo.exe
O4 - HKLM\..\Policies\Explorer\Run: [kEU1gkL26I] C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad\klivyxeh.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000</a>
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1204853167340
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/...ows-i586-jc.cab
O20 - Winlogon Notify: efcDUmjj - efcDUmjj.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O24 - Desktop Component 0: Privacy Protection - <a href="file:///C:\WINDOWS\privacy_danger\index.htm" target="_blank">file:///C:\WINDOWS\privacy_danger\index.htm</a>

--
End of file - 7493 bytes

Edited by God_Is_The_Light (Wed Apr 16 2008 02:37 AM)

Post Extras: Print Post   Remind Me!   Notify Moderator  
bricatModerator
HijackThis Helper


Reg'd: Wed
Posts: 28646
Loc: belfast
Re: Spyware has infected my computer and I need help to remove it. [Re: God_Is_The_Light]
      #391664 - Wed Apr 16 2008 09:58 AM
Reply to this post Reply   Reply to this post Quote  

we still have a bit more work to do to clean this up.

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:



Killall::

File::
C:\Documents and Settings\William A. Hudson\DesktopTrojan.Win32.BlackBird.PIF
C:\WINDOWS\system32\rsmjacyj.dll
C:\WINDOWS\system32\rjyltlvp.dll
C:\WINDOWS\dsktbwfe.dll
C:\WINDOWS\nslbvxpgtkn.dll
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\system32\sloxafkp.exe
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\hookdllX.dll
C:\WINDOWS\.prj
C:\WINDOWS\system32\lwrkjolo.exe
C:\WINDOWS\iun6002.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\BrowserHelperObjects\{97EBE3CC-10A7-4619-B127-9B5D4FA476A8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{57ABA3CE-E927-4C81-BE2E-E20CAEC6645F}"=-
[-HKEY_CLASSES_ROOT\clsid\{57aba3ce-e927-4c81-be2e-e20caec6645f}]
[-HKEY_CLASSES_ROOT\sgoblxtm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CBA0A72A-C5B0-47F8-9BD7-307B7708A58D}]
[-HKEY_CLASSES_ROOT\sgoblxtm]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zxcrqdht"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uaextvrz"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"kEU1gkL26I"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\efcDUmjj]





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Referring to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

then :-

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.

You don't stop laughing when you get old, you get old when you stop laughing!

Post Extras: Print Post   Remind Me!   Notify Moderator  
God_Is_The_Light
new user


Reg'd: Tue
Posts: 13
Re: Spyware has infected my computer and I need help to remove it. [Re: bricat]
      #391811 - Thu Apr 17 2008 01:01 AM
Reply to this post Reply   Reply to this post Quote  

Hi Brian. Well here is the latest information. After following your instructions
in your last reply. Once Combo fix stated that it was rebooting system / please wait...., it was stuck there for almost half an hour so I rebooted the system manually. After windows restarted, I got the new Combofix log and generated
new Hijackthis log. (QUESTION== When I draged the CFScript doc into Combofix, was it suppose
to start running? because your instruction stated I was to restart the computer after the
drag and drop)
Then I downloaded Malwarebytes. I ran Malware like you said, and
while it was running I got one popup stating "SYSTEM INTEGRITY SCAN WIZARD" and it
said warning computer may have errors in windows registry and file system. It gave me
the option to click next or cancel. I cancelled it and click OK to If I was sure I wanted
to exit setup. So after Malware finished scanning, it discovered 34 objects infected.
All were checked and when I selected "Remove" it started to remove and instantly the
computer rebooted itself. When windows restarted a microsoft windows message appered
saying system recovered from a serious error and ask if i wanted to send an error report
to microsoft.

I clicked the view button in the message boxand it stated the following:

Error signature
BCCode:5 BCP1 : 82080278 BCP2 : 823C8A00 BCP3 : 00000001
BCP4 : 81FE6C18 OSVer:5_1_2600 SP:2_0 Product: 256_1

I reviewed the techical info about the error report and it stated the following
files would be included in the report:

C:\DOCUME~1\WILLIA~1.HUD\LOCALS~1\Temp\WERa6c7.dir00\Mini041608-02.dmp
C:\DOCUME~1\WILLIA~1.HUD\LOCALS~1\Temp\WERa6c7.dir00\sysdata.xml

So I ran Malware again and the same thing happened and both times when the system restatred there was no Malware Log created.
So here are the Logs from Combofix and Hijackthis. Let me know what you think.
Thanks Brian.

=======================================================

ComboFix 08-04-14.2 - William A. Hudson 2008-04-16 15:11:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.316 [GMT -7:00]
Running from: C:\Documents and Settings\William A. Hudson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\William A. Hudson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\William A. Hudson\DesktopTrojan.Win32.BlackBird.PIF
C:\WINDOWS\.prj
C:\WINDOWS\dsktbwfe.dll
C:\WINDOWS\hookdllX.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\nslbvxpgtkn.dll
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\system32\lwrkjolo.exe
C:\WINDOWS\system32\rjyltlvp.dll
C:\WINDOWS\system32\rsmjacyj.dll
C:\WINDOWS\system32\sloxafkp.exe
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\.prj
C:\WINDOWS\dsktbwfe.dll
C:\WINDOWS\hookdllX.dll
C:\WINDOWS\iun6002.exe
C:\WINDOWS\nslbvxpgtkn.dll
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\rs.txt
C:\WINDOWS\sgoblxtm.dll
C:\WINDOWS\spnkfwad.exe
C:\WINDOWS\system32\lwrkjolo.exe
C:\WINDOWS\system32\rjyltlvp.dll
C:\WINDOWS\system32\rsmjacyj.dll
C:\WINDOWS\system32\sloxafkp.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-16 04:29 . 2008-04-16 04:29 102,400 --a------ C:\WINDOWS\system32\tazwhyjk.exe
2008-04-16 03:20 . 2008-03-21 13:30 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-04-16 03:20 . 2008-03-21 13:30 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-04-15 18:55 . 2008-04-15 18:58 <DIR> d-------- C:\Program Files\Neomesh Image Converter
2008-04-15 18:45 . 2008-04-15 18:48 206 --a------ C:\WINDOWS\converter.INI
2008-04-15 18:43 . 2008-04-15 18:43 <DIR> d-------- C:\WINDOWS\Wallpaper
2008-04-15 10:38 . 2008-04-15 10:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 09:38 . 2008-04-15 09:38 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-14 16:11 . 2008-04-14 16:13 <DIR> d-------- C:\Program Files\Defender Pro
2008-04-14 12:59 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk8
2008-04-14 04:12 . 2008-04-15 13:13 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\TmpRecentIcons
2008-04-14 03:47 . 2008-04-14 03:47 37 --a------ C:\WINDOWS\omniASsdk.dat
2008-04-14 03:46 . 2008-04-14 03:46 <DIR> d-------- C:\WINDOWS\AntiSpy
2008-04-14 03:13 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk7
2008-04-14 03:08 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk6
2008-04-14 03:04 . 1998-06-16 16:45 77,878 --a------ C:\WINDOWS\system32\msvcirt.dll.bk5
2008-04-14 02:57 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk4
2008-04-14 02:54 . 2004-08-04 05:00 54,784 --a------ C:\WINDOWS\system32\msvcirt.dll.bk3
2008-04-14 02:53 . 1998-06-16 16:45 77,878 --a------ C:\WINDOWS\system32\msvcirt.dll.bk2
2008-04-14 02:37 . 2008-04-14 02:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ehsfahad
2008-04-14 02:21 . 2008-04-15 18:51 <DIR> d-------- C:\Program Files\ImageConverter Plus
2008-04-13 21:30 . 2008-04-16 04:23 <DIR> d----c--- C:\VideoFiles
2008-04-13 21:18 . 2008-04-13 21:18 <DIR> d-------- C:\Program Files\AliveMedia
2008-04-13 21:18 . 2002-05-23 20:40 110,080 --a------ C:\WINDOWS\system32\nLame.dll
2008-04-13 21:18 . 2001-06-23 21:20 23,040 --a------ C:\WINDOWS\system32\auth.dll
2008-04-13 21:12 . 2008-04-16 11:19 <DIR> d----c--- C:\DVDMovie
2008-04-13 21:06 . 2008-04-13 21:21 67 --a------ C:\WINDOWS\AoADVDRipper.INI
2008-04-13 21:05 . 2008-04-13 21:05 3,082 --a------ C:\WINDOWS\system32\affv9553p6now.sys
2008-04-13 20:51 . 2008-04-13 20:51 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\dvdcss
2008-04-13 20:28 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-04-13 20:28 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-04-13 19:34 . 2008-04-13 19:45 <DIR> d----c--- C:\iSofterOutput
2008-04-13 19:31 . 2008-04-13 19:31 <DIR> d-------- C:\Program Files\iSofter
2008-04-13 19:31 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2008-04-10 06:28 . 2008-04-11 11:35 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta (Unicode)
2008-04-10 06:28 . 2008-04-14 03:02 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\Audacity
2008-04-09 23:38 . 2008-04-09 23:38 <DIR> d-------- C:\Program Files\MyPodcast Recorder
2008-04-09 18:23 . 2008-04-16 01:50 <DIR> d-------- C:\Program Files\Audacity
2008-04-09 00:05 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-08 23:55 . 2008-04-08 23:55 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-08 16:21 . 2008-04-08 16:21 66 --a------ C:\WINDOWS\system32\IPCROTIDE.SYS
2008-04-08 16:20 . 2008-04-08 16:21 79 --a------ C:\WINDOWS\iPC.ini
2008-04-08 11:16 . 2008-04-16 01:51 <DIR> d-------- C:\Program Files\PageBreeze
2008-04-08 11:16 . 2005-01-24 12:39 503,808 --a------ C:\WINDOWS\system32\ChilkatFTPx.dll
2008-04-08 11:16 . 1998-06-24 00:00 203,576 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-04-08 11:16 . 1998-06-18 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2008-04-08 11:16 . 1999-05-15 00:24 97,280 --a------ C:\WINDOWS\system32\vspell32.ocx
2008-04-08 11:16 . 1998-11-18 11:40 89,600 --a------ C:\WINDOWS\system32\Leocx32.ocx
2008-04-08 11:16 . 1998-11-22 14:23 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2008-04-08 11:16 . 1997-02-24 17:44 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2008-04-06 16:19 . 2008-04-14 18:30 <DIR> d-------- C:\Program Files\Celtx
2008-04-06 16:19 . 2008-04-06 16:19 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\Greyfirst
2008-04-01 20:04 . 2008-04-01 20:04 <DIR> d-------- C:\Program Files\Lexmark_7100 Series
2008-04-01 20:03 . 2008-04-01 20:11 11,916 --a------ C:\WINDOWS\system32\LexFiles.ulf
2008-04-01 20:01 . 2005-01-20 10:36 1,478 -ra------ C:\WINDOWS\system32\lxbx.loc
2008-04-01 20:00 . 2004-11-09 07:27 65,536 --a------ C:\WINDOWS\system32\lxbxcfg.dll
2008-04-01 19:50 . 2008-04-01 19:50 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Application Data\7100Series
2008-04-01 19:43 . 2008-04-01 19:43 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\WINDOWS
2008-04-01 19:35 . 2008-04-01 20:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\7100Series
2008-04-01 19:34 . 2008-04-01 20:11 <DIR> d-------- C:\Program Files\Lexmark 7100 Series
2008-04-01 13:51 . 2008-04-05 17:34 <DIR> d----c--- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-04-01 13:51 . 2008-04-13 21:21 <DIR> d----c--- C:\Temp
2008-03-31 17:09 . 2008-03-31 17:09 <DIR> d-------- C:\WINDOWS\system32\New Folder
2008-03-31 17:02 . 2004-08-04 05:00 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2008-03-31 17:02 . 2004-08-04 05:00 138,752 --a--c--- C:\WINDOWS\system32\dllcache\sndvol32.exe
2008-03-31 14:25 . 2008-03-31 14:25 831,488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 14:25 . 2008-03-31 14:25 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 14:25 . 2008-03-31 14:25 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 14:25 . 2008-03-31 14:25 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 14:25 . 2008-03-31 14:25 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-03-31 14:25 . 2008-03-31 14:25 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-31 00:39 . 2008-03-31 00:39 <DIR> d-------- C:\Program Files\detest5
2008-03-31 00:39 . 2002-12-30 00:39 114 --------- C:\WINDOWS\de04ch5.dat
2008-03-30 15:52 . 2008-03-30 15:52 <DIR> d-------- C:\WINDOWS\Sun
2008-03-30 15:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-30 15:49 . 2008-03-30 15:50 <DIR> d-------- C:\Program Files\Java
2008-03-27 02:28 . 2008-03-27 02:28 <DIR> d----c--- C:\Documents and Settings\William A. Hudson\Profiles
2008-03-24 12:45 . 2008-03-24 12:45 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-03-21 13:30 . 2008-03-21 13:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 13:30 . 2008-03-21 13:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-03-21 13:30 . 2008-03-21 13:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-03-21 13:30 . 2008-03-21 13:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-03-21 13:30 . 2008-03-21 13:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 11:28 --------- d-----w C:\Program Files\Apple Software Update
2008-04-16 10:43 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\DivX
2008-04-16 10:20 --------- d-----w C:\Program Files\DivX
2008-04-16 09:22 --------- d-----w C:\Program Files\Common Files\Real
2008-04-16 09:03 --------- d-----w C:\Program Files\Yahoo!
2008-04-16 09:03 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\YAHOO
2008-04-14 02:22 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Apple Computer
2008-04-14 02:20 --------- d-----w C:\Program Files\QuickTime
2008-04-06 19:02 --------- d-----w C:\Program Files\Lx_cats
2008-04-02 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 00:16 382 ----a-w C:\Program Files\Shortcut to Program Files.lnk
2008-03-23 23:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-03-15 17:29 --------- d-----w C:\Program Files\Google
2008-03-14 20:14 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Amazon
2008-03-14 20:11 --------- d-----w C:\Program Files\Amazon
2008-03-14 18:28 --------- dc----w C:\Documents and Settings\Administrator\Application Data\7100Series
2008-03-14 18:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Napster
2008-03-14 18:26 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\BVRP Software
2008-03-14 18:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-03-14 18:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-14 18:22 --------- d-----w C:\Program Files\EPSON
2008-03-14 18:21 --------- d-----w C:\Program Files\OfficeUpdate11
2008-03-13 04:39 --------- d-----w C:\Program Files\Unlocker
2008-03-10 18:50 --------- d-----w C:\Program Files\iTunes
2008-03-10 18:49 --------- d-----w C:\Program Files\iPod
2008-03-10 18:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-03-10 18:48 --------- d-----w C:\Program Files\Bonjour
2008-03-10 18:45 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-10 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-03-08 11:04 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-07 02:27 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Desktopicon
2008-03-07 00:04 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\Media Player Classic
2008-03-06 23:35 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-06 23:25 --------- d-----w C:\Program Files\Decoder
2008-03-06 23:14 --------- d-----w C:\Program Files\AVSMedia
2008-03-06 01:04 --------- dc----w C:\Documents and Settings\William A. Hudson\Application Data\MySpace
2008-02-21 02:05 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-08-12 04:13 92,064 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmmdm.sys
2007-08-12 04:13 9,232 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmmdfl.sys
2007-08-12 04:13 79,328 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmserd.sys
2007-08-12 04:13 66,656 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmbus.sys
2007-08-12 04:13 6,208 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmcmnt.sys
2007-08-12 04:13 5,936 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmwhnt.sys
2007-08-12 04:13 4,048 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\mqdmcr.sys
2007-08-12 04:13 25,600 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\usbsermptxp.sys
2007-08-12 04:13 22,768 -c--a-w C:\Documents and Settings\Administrator.LIBERTY-F82BA2D\usbsermpt.sys
2005-12-15 19:03 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2000-01-01 08:39 271 --sh--w C:\Program Files\desktop.ini
2000-01-01 08:39 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_18.17.52.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-16 22:28:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-03-06 01:22:34 22,752 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spcustom.dll
+ 2007-03-06 01:22:36 14,048 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-03-06 01:22:59 716,000 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\update.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\updspapi.dll
+ 2007-08-14 01:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-08-14 01:39:00 123,904 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\advpack.dll
+ 2007-08-14 01:35:46 346,624 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtmsft.dll
+ 2007-08-14 01:35:38 214,528 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\dxtrans.dll
+ 2007-08-14 01:54:10 131,584 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\extmgr.dll
+ 2007-08-14 01:36:26 61,952 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\icardie.dll
+ 2007-08-14 01:39:06 54,784 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ie4uinit.exe
+ 2007-08-14 01:39:26 152,064 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakeng.dll
+ 2007-08-14 01:39:54 229,376 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieaksie.dll
+ 2007-08-14 00:56:54 161,792 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieakui.dll
+ 2007-02-12 23:10:12 2,451,312 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dat
+ 2007-07-11 19:27:48 383,488 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieapfltr.dll
+ 2007-08-14 01:39:50 382,976 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iedkcs32.dll
+ 2007-08-14 01:54:10 6,049,280 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieframe.dll
+ 2007-08-14 01:39:10 43,008 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iernonce.dll
+ 2007-08-14 01:34:04 266,752 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iertutil.dll
+ 2007-08-14 01:39:10 13,312 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\ieudinit.exe
+ 2007-08-14 01:43:56 622,080 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\iexplore.exe
+ 2007-08-14 01:54:10 27,136 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\jsproxy.dll
+ 2007-08-14 01:54:10 458,752 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeeds.dll
+ 2007-08-14 01:54:10 50,688 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msfeedsbs.dll
+ 2007-08-14 01:54:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtml.dll
+ 2007-08-14 01:54:10 475,648 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mshtmled.dll
+ 2007-08-14 01:44:26 192,000 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\msrating.dll
+ 2007-08-14 01:54:10 670,720 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\mstime.dll
+ 2007-08-14 01:44:06 101,376 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\occache.dll
+ 2007-08-14 01:36:12 44,544 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\pngfilt.dll
+ 2007-03-06 01:22:31 22,752 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spcustom.dll
+ 2007-03-06 01:22:33 14,048 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst.exe
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\updspapi.dll
+ 2007-03-06 01:22:56 716,000 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\update.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\updspapi.dll
+ 2007-08-14 01:44:30 105,984 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\url.dll
+ 2007-08-14 01:54:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll
+ 2007-08-14 01:54:10 231,424 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\webcheck.dll
+ 2007-08-14 01:54:10 818,688 -c----w C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
+ 2008-04-16 02:21:02 27,136 ----a-r C:\WINDOWS\Installer\{02DFF6B1-1654-411C-8D7B-FD6052EF016F}\AppleSoftwareUpdateIco.exe
- 2007-08-14 01:39:00 123,904 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2003-06-25 16:45:42 208,896 ------w C:\WINDOWS\system32\cnvshell.dll
+ 2008-03-21 20:28:20 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
- 2007-08-14 01:39:00 123,904 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-03-01 13:06:20 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-14 01:35:46 346,624 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-08-14 01:35:38 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-14 01:54:10 131,584 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-03-01 13:06:21 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-14 01:39:06 54,784 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-14 01:39:26 152,064 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-14 01:39:54 229,376 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-14 00:56:54 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-14 01:39:50 382,976 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-14 01:39:10 43,008 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-03-01 13:06:24 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-14 01:43:56 622,080 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-02-29 08:55:46 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-14 01:54:10 27,136 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-08-14 01:54:12 3,578,368 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-03-02 01:36:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-14 01:54:10 475,648 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-14 01:44:26 192,000 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-03-01 13:06:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-14 01:54:10 670,720 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-03-01 13:06:29 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-14 01:44:06 101,376 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-03-01 13:06:29 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
- 2007-08-14 01:36:12 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-08-14 01:44:30 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-03-01 13:06:29 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-14 01:54:10 1,162,240 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-14 01:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-08-14 01:54:10 231,424 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-03-01 13:06:30 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-14 01:54:10 818,688 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-03-01 13:06:31 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2007-11-30 07:28:24 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
+ 2008-03-21 20:28:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
+ 2008-03-21 20:28:50 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
- 2007-02-06 22:06:32 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
+ 2008-03-21 20:28:50 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
+ 2008-03-21 20:28:52 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
- 2007-02-06 22:06:32 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
+ 2008-03-21 20:28:50 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
+ 2008-03-21 20:28:50 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
- 2007-02-06 22:06:32 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
+ 2008-03-21 20:28:50 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
- 2007-02-06 22:06:32 200,704 ----a-w C:\WINDOWS\system32\dtu100.dll
+ 2008-03-21 20:28:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
- 2007-08-14 01:35:46 346,624 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-08-14 01:35:38 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-14 01:54:10 131,584 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-14 01:36:26 61,952 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-14 01:39:06 54,784 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-14 01:39:26 152,064 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-14 01:39:54 229,376 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-14 00:56:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-02-12 23:10:12 2,451,312 ----a-w C:\WINDOWS\system32\ieapfltr.dat
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\system32\ieapfltr.dat
- 2007-07-11 19:27:48 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-14 01:39:50 382,976 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-14 01:54:10 6,049,280 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-14 01:39:10 43,008 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-14 01:34:04 266,752 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-14 01:39:10 13,312 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-14 01:54:10 27,136 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-08-14 01:54:10 458,752 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-14 01:54:10 50,688 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-14 01:54:12 3,578,368 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-03-02 01:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-14 01:54:10 475,648 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-14 01:44:26 192,000 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-14 01:54:10 670,720 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-14 01:44:06 101,376 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-08-14 01:36:12 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-03-21 20:30:04 66,296 ------w C:\WINDOWS\system32\pxcpya64.exe
+ 2008-03-21 20:30:06 72,440 ------w C:\WINDOWS\system32\pxhpinst.exe
+ 2008-03-21 20:30:04 64,760 ------w C:\WINDOWS\system32\pxinsa64.exe
- 2007-08-14 01:44:30 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-14 01:54:10 1,162,240 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-14 01:54:10 231,424 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-14 01:54:10 818,688 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-14 14:09 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"qhopxoqs"="C:\WINDOWS\system32\tazwhyjk.exe" [2008-04-16 04:29 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-02-29 22:10 15872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-10 11:40 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"LXBXCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll" [2004-11-02 08:08 69632]
"lxbxmon.exe"="C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" [2005-01-18 02:43 196608]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 7100 Series\fm3032.exe" [2004-12-06 11:53 286720]
"EzPrint"="C:\Program Files\Lexmark 7100 Series\ezprint.exe" [2004-09-17 06:24 61440]
"Sound Card Driver"="C:\My Games\LIBERTY-F82BA2D\svchost.exe" [ ]
"LaunchAntiSpy"="C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 1.9.118.lnk - C:\Program Files\OpenOffice.org 1.9.118\program\quickstart.exe [2005-06-21 21:39:12 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcDUmjj]
efcDUmjj.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 atirage;atirage;C:\WINDOWS\system32\DRIVERS\atiragem.sys [2001-08-17 05:48]
R3 GigNIC;NDIS5.1 Miniport Driver for Belkin Gigabit Desktop Card;C:\WINDOWS\system32\DRIVERS\GigNIC.sys [2004-03-19 18:21]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 06:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 02:21:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 09:11:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-16 18:39:34 C:\WINDOWS\Tasks\User_Feed_Synchronization-{5E604979-BAC1-4C79-A317-3DFE3269BA83}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 15:29:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-16 15:36:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 22:35:51
ComboFix2.txt 2008-04-16 01:20:16

Pre-Run: 3,034,460,160 bytes free
Post-Run: 3,435,372,544 bytes free
.
2008-04-16 10:02:37 --- E O F ---


===============================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:47 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\tazwhyjk.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [Sound Card Driver] C:\My Games\LIBERTY-F82BA2D\svchost.exe
O4 - HKLM\..\Run: [LaunchAntiSpy] C:\Program Files\DefenderPro AntiSpy\TSAntiSpy.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [qhopxoqs] C:\WINDOWS\system32\tazwhyjk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsu...b?1204853167340
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/...ows-i586-jc.cab
O20 - Winlogon Notify: efcDUmjj - efcDUmjj.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe

--
End of file - 6418 bytes

Post Extras: Print Post   Remind Me!   Notify Moderator  
bricatModerator
HijackThis Helper


Reg'd: Wed
Posts: 28646
Loc: belfast
Re: Spyware has infected my computer and I need help to remove it. [Re: God_Is_The_Light]
      #391813 - Thu Apr 17 2008 01:45 AM
Reply to this post Reply   Reply to this post Quote  

Rerun HJT,and put a checkmark beside these :-

O4 - HKCU\..\Run: [qhopxoqs] C:\WINDOWS\system32\tazwhyjk.exe
O20 - Winlogon Notify: efcDUmjj - efcDUmjj.dll (file missing)

now close all windows and browsers and click FIX CHECKED


Then:-


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:



Killall::

File::
C:\WINDOWS\system32\tazwhyjk.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qhopxoqs"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windowsnt\currentversion\winlogon\notify\efcDUmjj]





Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Referring to the picture above, drag CFScript.txt into ComboFix.exe

then Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt


Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please and
let me know how it is running.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

--------------------
MY HELP IS FREE,BUT PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST SPYWARE.