Hi,
I deleted Party Poker & Viewpoint. I ran the Hijack this scan & checked the 2 files : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
and tried to delete them, but they came back.
I was unable th run the Kaspersky Online Scanner. I could not navigate to the Accept license button. I'm not sure which Internet Explorer I'm running. I could not make the browser large enough to get to the button, sorry. If you have any tips, or if I need to download a newer browser, I'll do my best.
I do, really, want to thank you, so much for helping me! I had no idea how infected my computer is. And definatly would not know how to fix it. Thank You!!!! Bob
Here are the logs that you asked me to run:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:11:55 AM, on 8/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\eAcceleration\Firewall\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\eAcceleration\OnAccess\scan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\EACCEL~1\Station\station.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {64988904-C617-4599-8CFA-0B8F5CE911D1} - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O4 - HKLM\..\Run: [OnAccess] "C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" -e
O4 - HKLM\..\Run: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunOnce: [StopSignSsFwMon] Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O20 - Winlogon Notify: ysslpay - C:\WINDOWS\msagent\CHARS\ysslpay.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O24 - Desktop Component 0: (no name) -
http://adisney.go.com/disneypictures/ca ... /mater.gif
--
End of file - 3521 bytes
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 8/7/2007 11:03:01 PM for strings:
; 'mehtqnso'
; 'hetumxcz'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
; Contents of value:
; 6to4
; AppMgmt
; AudioSrv
; Browser
; CryptSvc
; DMServer
; DHCP
; ERSvc
; EventSystem
; FastUserSwitchingCompatibility
; HidServ
; Ias
; Iprip
; Irmon
; mehtqnso
; LanmanServer
; LanmanWorkstation
; Messenger
; Netman
; Nla
; Ntmssvc
; NWCWorkstation
; Nwsapagent
; Rasauto
; Rasman
; Remoteaccess
; Schedule
; Seclogon
; SENS
; Sharedaccess
; SRService
; Tapisrv
; Themes
; TrkWks
; W32Time
; WZCSVC
; Wmi
; WmdmPmSp
; winmgmt
; TermService
; wuauserv
; BITS
; ShellHWDetection
; helpsvc
; uploadmgrldrsvc
;
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,6d,00,65,00,68,00,74,00,71,00,6e,00,73,00,6f,00,00,00,\
4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,00,6b,00,73,00,74,00,\
61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,73,00,65,00,6e,00,67,\
00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,4e,00,6c,00,\
61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,00,00,4e,00,57,00,43,\
00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,\
4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,52,00,61,\
00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,00,6d,00,61,00,6e,00,\
00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,63,00,65,00,73,00,73,\
00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,00,00,00,53,00,65,00,\
63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,\
00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,\
53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,\
00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,00,65,00,73,00,00,00,\
54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,32,00,54,00,69,00,6d,\
00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,00,57,00,6d,00,69,00,\
00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,00,00,77,00,69,00,6e,\
00,6d,00,67,00,6d,00,74,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,\
76,00,69,00,63,00,65,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,\
00,00,00,42,00,49,00,54,00,53,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,\
57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,\
00,6c,00,70,00,73,00,76,00,63,00,00,00,75,00,70,00,6c,00,6f,00,61,00,64,00,\
6d,00,67,00,72,00,6c,00,64,00,72,00,73,00,76,00,63,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000]
"Service"="HETUMXCZ"
"DeviceDesc"="HETUMXCZ"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000\LogConf]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HETUMXCZ\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000]
"Service"="mehtqnso"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEHTQNSO\0000\Control]
"ActiveService"="mehtqnso"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ]
; Contents of value:
; \??\C:\WINDOWS\System32\hetumxcz.jzq
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,68,00,65,00,74,00,75,00,6d,00,78,00,63,00,7a,00,2e,00,6a,00,7a,00,\
71,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HETUMXCZ\Enum]
"0"="Root\\LEGACY_HETUMXCZ\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mehtqnso\Enum]
"0"="Root\\LEGACY_MEHTQNSO\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ\0000]
"Service"="HETUMXCZ"
"DeviceDesc"="HETUMXCZ"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HETUMXCZ\0000\LogConf]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEHTQNSO]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEHTQNSO\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEHTQNSO\0000]
"Service"="mehtqnso"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HETUMXCZ]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HETUMXCZ]
; Contents of value:
; \??\C:\WINDOWS\System32\hetumxcz.jzq
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,68,00,65,00,74,00,75,00,6d,00,78,00,63,00,7a,00,2e,00,6a,00,7a,00,\
71,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HETUMXCZ\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mehtqnso]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mehtqnso\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000]
"Service"="HETUMXCZ"
"DeviceDesc"="HETUMXCZ"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000\LogConf]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HETUMXCZ\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000]
"Service"="mehtqnso"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEHTQNSO\0000\Control]
"ActiveService"="mehtqnso"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ]
; Contents of value:
; \??\C:\WINDOWS\System32\hetumxcz.jzq
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,68,00,65,00,74,00,75,00,6d,00,78,00,63,00,7a,00,2e,00,6a,00,7a,00,\
71,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HETUMXCZ\Enum]
"0"="Root\\LEGACY_HETUMXCZ\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mehtqnso\Enum]
"0"="Root\\LEGACY_MEHTQNSO\\0000"
; End Of The Log...
C:\WINDOWS\System32\hetumxcz.jzq file not found
File: dvlrkcby.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: e7fba52c9e97ae5ddd3bd253519dc239
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 08 Aug 2007 04:42:28 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.ConHook.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Clicker.HRP
BitDefender
Found Trojan.Dldr.Conhook.AH
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
NOD32
Found nothing
Norman Virus Control
Found W32/BHO.QG
Panda Antivirus
Found nothing
Rising Antivirus
Found Trojan.Clicker.Win32.Delf.hi
Sophos Antivirus
Found Mal/EncPk-M
VirusBuster
Found nothing
VBA32
Found nothing
C:\sysnrun.exe
File: sysnrun.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: eed047c97d8773479eb09d7bd6ba4fca
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 08 Aug 2007 04:46:06 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.U.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Obfustat.AJC
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Packed.153
F-Prot Antivirus
Found Possibly a new variant of W32/CodeCru-based!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found Generic
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found nothing
VBA32
Found Trojan-PSW.Pinch.65 (paranoid heuristics) (probable variant)
C:\WINDOWS\system32\tovtbdrt.dll
File: tovtbdrt.dll
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9710c7b22e7b3121f0a25a6f2b258f3b
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 08 Aug 2007 04:50:07 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.ConHook.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Obfustat.CZZ
BitDefender
Found Trojan.Dldr.Conhook.AA
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
NOD32
Found nothing
Norman Virus Control
Found W32/BHO.QG
Panda Antivirus
Found nothing
Rising Antivirus
Found Trojan.Clicker.Win32.Delf.hi
Sophos Antivirus
Found Mal/EncPk-M
VirusBuster
Found nothing
VBA32
Found nothing
ComboFix 07-08-06.5 - "Bob Parchman" 2007-08-08 0:21:19.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.614 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Bob Parchman\Recent\CFscript.lnk
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))
2007-08-22 15:57 165,888 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-08-17 12:30 684,567 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-08-17 12:30 147,729 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2007-08-17 12:27 756,224 --a------ C:\WINDOWS\SYSTEM32\dvlrkcby.dll
2007-08-06 12:53 475,136 --a------ C:\WINDOWS\Uninstaller.exe
2007-08-06 10:22 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-08-06 10:22 94,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-08-06 10:22 92,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-08-06 10:22 783,224 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-08-06 10:22 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2007-08-06 10:22 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-08-06 10:22 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-08-06 10:22 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-08-06 10:22 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-08-06 10:21 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-05 22:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 22:25 <DIR> d---s---- C:\DOCUME~1\KATEPA~1\UserData
2007-08-05 22:10 1,205,111 ---hs---- C:\WINDOWS\qruwwa.ini2
2007-08-05 21:54 7,680 --a------ C:\sysnrun.exe
2007-08-05 21:53 <DIR> d-------- C:\HJT
2007-08-05 21:44 89,902 --a------ C:\WINDOWS\SYSTEM32\dnf89316df.dat
2007-08-04 19:49 1,204,923 ---hs---- C:\WINDOWS\kmlopo.ini2
2007-08-04 19:09 131,448 --a------ C:\WINDOWS\opolmk.dll
2007-08-04 18:45 131,448 --a------ C:\WINDOWS\yababx.dll
2007-08-04 18:43 4,096 --a------ C:\WINDOWS\SYSTEM32\dfrgntfs.dll
2007-08-04 17:57 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-08-04 17:57 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-08-04 17:57 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2007-08-04 17:57 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2007-08-04 17:57 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2007-08-04 17:56 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2007-08-04 17:56 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2007-08-04 17:56 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2007-08-04 17:56 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2007-08-04 17:56 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2007-08-04 17:56 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2007-08-04 17:56 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2007-08-04 17:56 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2007-08-04 17:56 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2007-08-04 17:56 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2007-08-04 17:56 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2007-08-04 17:56 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2007-08-04 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-04 14:27 97,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fwcore.sys
2007-08-04 12:27 <DIR> d-------- C:\Program Files\D-Link
2007-08-04 07:24 8,705 --a------ C:\WINDOWS\SYSTEM32\nkxdxruw.exe
2007-07-27 19:13 8,505 --a------ C:\WINDOWS\SYSTEM32\erninxcz.exe
2007-07-20 09:46 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-07-20 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-07-20 09:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx2.dll
2007-07-20 09:27 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bitsprx3.dll
2007-07-20 09:27 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2007-07-20 09:27 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2007-07-20 09:27 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2007-07-20 09:27 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2007-07-20 08:23 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-20 08:23 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-20 08:23 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-20 08:23 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-20 08:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 12:24 125440 --a------ C:\WINDOWS\system32\tovtbdrt.dll
2007-08-07 14:48 --------- d-------- C:\Program Files\wmconnect
2007-08-04 22:53 --------- d-------- C:\Program Files\Viewpoint
2007-08-04 22:52 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 18:43 --------- d-------- C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration
2007-08-04 18:02 --------- d-------- C:\Program Files\Messenger
2007-08-04 14:26 --------- d-------- C:\Program Files\eAcceleration
2007-08-04 14:22 --------- d-------- C:\Program Files\Acceleration Software
2007-08-04 13:53 --------- d-------- C:\Program Files\Common Files\eAcceleration
2007-07-20 08:24 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-24 20:45 --------- d-------- C:\Program Files\Edventure Software
2007-06-24 20:41 63488 --a------ C:\WINDOWS\xobglu16.dll
2007-06-24 20:41 23552 --a------ C:\WINDOWS\xobglu32.dll
2007-06-24 20:35 --------- d-------- C:\Program Files\Scholastic
2007-06-24 14:34 --------- d-------- C:\Program Files\Microsoft Kids
2007-06-22 14:45 --------- d-------- C:\Program Files\FinePixViewer
2002-10-08 11:37 207759 --a------ C:\Program Files\INSTALL.LOG
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64988904-C617-4599-8CFA-0B8F5CE911D1}]
2007-08-04 18:43 593920 ---h----- C:\WINDOWS\msagent\CHARS\ysslpay.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnAccess"="C:\Program Files\eAcceleration\OnAccess\OnAccess.exe" [2006-10-24 19:21]
"StopSignSsFwMon"="C:\Program Files\eAcceleration\Firewall\ssfwmon.dll" [2006-08-09 13:56]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 17:03]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-02-27 13:17]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"StopSignSsFwMon"=Rundll32.exe "C:\Program Files\eAcceleration\Firewall\ssfwmon.dll",VerifyStatus /ro
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\Bob Parchman\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2001-08-31 10:50:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1A42F606-3E21-4AB5-9565-E7C8EF6B0929}"= C:\PROGRA~1\EACCEL~1\OnAccess\sehk.dll [2006-10-24 19:21 71256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ysslpay]
C:\WINDOWS\msagent\CHARS\ysslpay.dll 2007-08-04 18:43 593920 C:\WINDOWS\MSAGENT\CHARS\ysslpay.dll
R0 fwcore;Fwcore Filter;C:\WINDOWS\System32\drivers\fwcore.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\System32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\System32\drivers\ASCTRM.sys
R2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe -Service
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe
R3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 wandrv;WAN Network Driver;C:\WINDOWS\System32\DRIVERS\wandrv.sys
S2 HETUMXCZ;HETUMXCZ;\??\C:\WINDOWS\System32\hetumxcz.jzq
S2 mehtqnso;TCP/IP Protocol Monitor;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\System32\DRIVERS\mr97310v.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
mehtqnso
uploadmgrldrsvc
Contents of the 'Scheduled Tasks' folder
2007-08-07 06:55:00 C:\WINDOWS\Tasks\Start Scan.job - C:\PROGRA~1\ACCELE~1\ANTI-V~1\STOPSI~1.EXE
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-08-08 00:22:25
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-08 0:23:29
C:\ComboFix-quarantined-files.txt ... 2007-08-08 00:23
C:\ComboFix2.txt ... 2007-08-07 22:33
C:\ComboFix3.txt ... 2007-08-06 18:51
--- E O F ---