Free Malware Removal Forum

by **rgward611** » November 12th, 2007, 8:35 pm

I downloaded and installed HiJackThis but when I execute it I get a program error..."HiJackthis has generated errors and will be closed by Windows." Am I doing something wrong? My IE browser has been hijacked by problem BHOs (byxxxyx.dll and xxyay.dll) that I can't get rid of. I have the following spyware/anti-virus tools on my laptop and all current and are up to date with latest signatures but they run clean and do not detect any vulnerabilities or threats. Please advise.

McAfee Anti-virus
Webroot SpySweeper
Spybot
SpywareBlaster
Ad-Aware
AVG

I am running Win2000 Pro SP4 and all latest patches.

Here is the HiJackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 6:14:16 PM, on 11/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\1XConfig.exe
C:\WINNT\system32\BacsTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\EXPLORER.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.93.255.5:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 170.93.*.*;192.168.*.*;10.92.*.*,10.93.*.*;10.94.*.*;10.95.*.*;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINNT\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for ðºýî“ac: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://170.93.5.125:2080/SWToolset.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2680821703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7256221337
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mail.e-mdot.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerd ... CTIVEX.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{302C701B-3E19-4D34-8052-BAF6E502F33E}: Domain = frdrmd.adelphia.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{302C701B-3E19-4D34-8052-BAF6E502F33E}: NameServer = 68.87.73.242,68.87.71.226
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINNT\Downloaded Program Files\mimectl.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

by **Katana** » November 15th, 2007, 5:56 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

VundoFix
Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Old version of HJT
You are running an older version of Hijack This.

Click here to download HJTinstall.exe
Save HJTinstall.exe to your desktop.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel
before installing a newer version.

Double click on the HJTinstall.exe icon on your desktop.
Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

by **rgward611** » November 15th, 2007, 11:50 pm

katana,

Here are the Vundofix.txt results.
VundoFix V6.6.1

Checking Java version...

Scan started at 9:31:01 PM 11/15/2007

Listing files found while scanning....

C:\WINNT\system32\byxxxyx.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\byxxxyx.dll
C:\WINNT\system32\byxxxyx.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Scan started at 9:35:21 PM 11/15/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

I downloaded and installed HJTInstall.exe but immediately after accepting the License Agreement (window closes) I get a program error pop-up..."HiJackthis.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created." Clicked OK but, I can't locate any error log file. C:\Program files\Trend Micro\HijackThis folder was created with HiJackThis.exe installed. Attempted to run .exe but received same run-time error.

Pending your further instructions.

by **Katana** » November 16th, 2007, 6:59 am

Update AVG Anti-Spyware

Launch AVG Anti-Spyware
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Do not automatically generate reports
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Please post the report in your reply

Deckard's System Scanner
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

You may need more than one post to make sure the logs don't get cut off

by **rgward611** » November 16th, 2007, 10:30 pm

Katana,

AVG ran clean...Scan Complete Nothing found.

main.txt
Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-16 21:21:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:00 PM, on 11/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\RegSrvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\1XConfig.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.93.255.5:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 170.93.*.*;192.168.*.*;10.92.*.*,10.93.*.*;10.94.*.*;10.95.*.*;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AE0D8156-52EC-42F6-8EA8-5107AD95AD84} - C:\WINNT\system32\xxyya.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\system32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINNT\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for ðºýî“ac: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://170.93.5.125:2080/SWToolset.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2680821703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7256221337
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://mail.e-mdot.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerd ... CTIVEX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{302C701B-3E19-4D34-8052-BAF6E502F33E}: Domain = frdrmd.adelphia.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{302C701B-3E19-4D34-8052-BAF6E502F33E}: NameServer = 68.87.73.242,68.87.71.226
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINNT\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8676 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\winnt\system32\drivers\naifsrec.sys
R1 omci (OMCI WDM Device Driver) - c:\winnt\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\winnt\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 PRPC - c:\winnt\system32\drivers\prpc.sys <Not Verified; Intel Corp.; Intel(R) SpeedStep(TM) technology Applet>
R2 s24trans (WLAN Transport) - c:\winnt\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel(R) Wireless LAN Packet Driver>
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys

S3 2583 - c:\winnt\system32\2583.sys (file missing)
S3 2c32 - c:\winnt\system32\2c32.sys (file missing)
S3 3f74 - c:\winnt\system32\3f74.sys (file missing)
S3 agony - c:\documents and settings\administrator\desktop\wininit.sys
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 FreshIO - c:\program files\freshdevices\freshdiagnose\freshio.sys
S3 NAL (Nal Service ) - c:\winnt\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel(R) iQVW32.SYS>
S3 NPF (NetGroup Packet Filter Driver) - c:\winnt\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\winnt\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"
R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.3) - c:\winnt\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 RegSrvc - c:\winnt\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S3 SolarWinds TFTP Server - "c:\program files\solarwinds\engineer's toolset\solarwinds tftp server.exe" <Not Verified; SolarWinds; SolarWinds TFTP Server>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

-- Scheduled Tasks -------------------------------------------------------------

2007-11-16 18:02:36 454 --a------ C:\WINNT\Tasks\RegCure Program Check.job
2007-11-08 06:10:54 388 --a------ C:\WINNT\Tasks\RegCure.job

-- Files created between 2007-10-16 and 2007-11-16 -----------------------------

2007-11-16 19:21:29 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_724.dat
2007-11-15 21:56:00 0 d-------- C:\Program Files\Trend Micro
2007-11-15 21:27:18 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_7f8.dat
2007-11-13 18:58:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_7d8.dat
2007-11-13 18:27:52 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_458.dat
2007-11-12 23:40:23 743172 ---h----- C:\WINNT\ShellIconCache
2007-11-12 17:21:20 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_48c.dat
2007-11-12 17:21:08 404870 --ahs---- C:\WINNT\system32\ayyxx.ini2
2007-11-12 17:21:04 315488 -----n--- C:\WINNT\system32\xxyya.dll
2007-11-12 10:13:47 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_234.dat
2007-11-11 23:32:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 23:32:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 18:02:07 0 d-------- C:\Program Files\McAfee Tools
2007-11-10 23:03:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 23:03:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 16:25:45 0 d-------- C:\Program Files\Safer Networking
2007-11-10 13:56:08 0 d-------- C:\VundoFix Backups
2007-11-08 03:00:35 91824 --a------ C:\WINNT\system32\mskvtns.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-07 22:06:03 35328 --a------ C:\WINNT\system32\ljjghfe.dll
2007-11-07 22:02:36 0 d-a------ C:\WINNT\system32\Mz02r
2007-11-07 22:02:36 35328 -----n--- C:\WINNT\system32\byxxxyx.dll
2007-11-04 23:25:25 0 --a------ C:\pdfview.exe
2007-11-04 23:25:24 0 --a------ C:\bbzip.exe
2007-11-04 23:25:09 11776 --a------ C:\Documents and Settings\Administrator\wn852.exe
2007-10-24 22:11:18 20992 --a------ C:\WINNT\r-k.exe
2007-10-24 22:11:15 51628 --a------ C:\Documents and Settings\Administrator\wn100.exe

-- Find3M Report ---------------------------------------------------------------

2007-11-16 07:29:19 0 d-------- C:\Program Files\AZZ Cardfile
2007-11-14 19:49:59 0 d-------- C:\Program Files\SpywareBlaster
2007-11-11 20:14:40 0 d-------- C:\Program Files\Find Favorites
2007-11-11 14:06:32 0 d-------- C:\Program Files\RegCure
2007-11-10 23:06:30 0 d-------- C:\Program Files\Common Files\Scanner
2007-11-10 23:06:04 0 d-------- C:\Program Files\Yahoo!
2007-11-10 19:36:40 0 d-a------ C:\Program Files\Common Files
2007-11-10 19:01:20 0 d-------- C:\Program Files\Zinio
2007-10-18 12:16:59 164 --a------ C:\install.dat
2007-10-14 22:10:50 0 d-------- C:\Program Files\JIGLE-0.7.5
2007-10-14 21:34:07 0 d-------- C:\Program Files\MSECache
2007-09-17 21:18:02 11665 --a------ C:\WINNT\system32\nvModes.dat
2007-08-21 12:10:16 69632 --a------ C:\WINNT\system32\SWSendSyslog.dll <Not Verified; SolarWinds.Net; SWSendSyslog Module>
2007-08-21 12:09:04 122880 --a------ C:\WINNT\system32\SWPortScanV1.dll <Not Verified; Solarwinds.Net; PortScanner Module>
2007-08-21 12:08:14 122880 --a------ C:\WINNT\system32\DirectDNS.dll <Not Verified; SolarWinds.Net; SolarWinds Network Management Tools>
2007-08-21 12:05:22 905296 --a------ C:\WINNT\system32\SNMPv7.dll <Not Verified; SolarWinds.Net; SolarWinds.Net Network Management Tools>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE0D8156-52EC-42F6-8EA8-5107AD95AD84}]
11/12/07 05:21p 315488 --------- C:\WINNT\system32\xxyya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 06:00p C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [06/10/03 10:07a]
"PRPCMonitor"="PRPCUI.exe" [10/06/02 02:00p C:\WINNT\SYSTEM32\prpcui.exe]
"DVDSentry"="C:\WINNT\system32\DSentry.exe" [07/16/02 09:18p]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [12/17/02 12:14a]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [07/29/05 07:52p]
"CARPService"="carpserv.exe" [10/17/02 06:54a C:\WINNT\SYSTEM32\carpserv.exe]
"nwiz"="nwiz.exe" [10/26/04 12:01p C:\WINNT\SYSTEM32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINNT\system32\ZCfgSvc.exe" [07/05/05 12:32a]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [06/27/05 07:31a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/12/05 08:49p]
"NvCplDaemon"="RUNDLL32.exe" [06/19/03 06:00p C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/07 07:51p]
"bacstray"="BacsTray.exe" [05/14/03 05:37a C:\WINNT\SYSTEM32\BacsTray.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/07 03:40p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [06/19/03 06:00p C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [6/19/2006 9:04:45 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 3:15:54 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\xxyya.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

-- End of Deckard's System Scanner: finished at 2007-11-16 21:22:42 ------------

by **rgward611** » November 16th, 2007, 10:32 pm

Part 2...

extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1600MHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 1023.23 MiB / 756.28 MiB
Pagefile Memory (total/avail): 2460.4 MiB / 2196.89 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1957.18 MiB

C: is Fixed (NTFS) - 37.21 GiB total, 26.77 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST94811A - 37.26 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=V89614
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\V89614
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Program Files\Mozilla Firefox;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\Common Files\Adaptec Shared\System;;C:\PROGRA~1\E!TCP
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=V89614
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT

-- User Profiles ---------------------------------------------------------------

Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~2\INSTALL.LOG
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
AirSnare --> "C:\Program Files\AirSnare\uninstall.exe"
AirSnare - (c) 2003 Jay L. DeBoer --> C:\WINNT\st6unst.exe -n "C:\Program Files\AirSnare\ST6UNST.LOG"
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AZZ Cardfile --> C:\Program Files\AZZ Cardfile\UNINSTALL.EXE
Broadcom Advanced Control Suite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Broadcom ASF Management Applications --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
Citrix ICA Web Client --> C:\WINNT\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Citrix Presentation Server Client --> MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Conexant D480 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Modem-On-Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\Setup.exe" -l0x9 ControlPanelAnyText
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\Setup.exe" -l0x9 ControlPanelAnyText
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EXTRA! Bundle for TCP/IP --> C:\WINNT\uninst.exe -f"C:\Program Files\E!TCP\DeIsL1.isu" -C"C:\Program Files\E!TCP\uninstnt.dll"
FreshDiagnose --> "C:\Program Files\FreshDevices\FreshDiagnose\unins000.exe"
FreshUI --> "C:\Program Files\FreshDevices\FreshUI\unins000.exe"
FreshView --> "C:\Program Files\FreshDevices\FreshView\unins000.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel SpeedStep technology Applet --> C:\WINNT\IsUninst.exe -f"C:\WINNT\system32\Intel(R) SpeedStep(TM) technology Applet.isu"
Intel(R) PROSet --> MsiExec.exe /I{b697396d-4bff-430d-9578-8aa5a549777a}
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
McAfee VirusScan --> MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 --> C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2007 (English) --> MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Web Access S/MIME --> MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Mozilla Firefox (2.0.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
netViz Professional 7.2 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\netViz\7\Pro\Uninst.isu"
Network Stumbler 0.4.0 (remove only) --> "C:\Program Files\Network Stumbler\uninst.exe"
NVIDIA Drivers --> C:\WINNT\system32\nvudisp.exe UninstallGUI
Optiquest INF and ICM Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBFE20C0-79C3-11D4-A9BD-83B5347BAF61}\Setup.exe"
PDFCreator --> "C:\Program Files\PDFCreator\unins000.exe"
PE Builder 3.1.10a --> "c:\pebuilder3110a\unins000.exe"
Pictoscope 4.0.02 --> "C:\Program Files\Pictoscope\unins000.exe"
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
QuickTime Alternative 1.78 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegCure 1.5.0.0 --> C:\Program Files\RegCure\uninst.exe
RegistryFix v5.0 --> "C:\Program Files\RegistryFix\unins000.exe"
Remote Desktop Connection --> MsiExec.exe /X{35D027A4-57BA-4E59-94DB-DFB36FFFDC1E}
RunAlyzer --> "C:\Program Files\Safer Networking\RunAlyzer\unins000.exe"
Security Update for Microsoft .NET Framework 2.0 (KB928365) --> C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
SolarWinds Engineer's Toolset v9 --> C:\Program Files\InstallShield Installation Information\{06DB58B3-AC28-4CA4-903A-DE0E94C38EAD}\setup.exe -runfromtemp -l0x0409
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\setup.exe" -l0x9 VpnUninstall
Whale Communications' Client Components v3.1.3 --> rundll32.exe C:\WINNT\DOWNLO~1\WhlMgr.dll,UnInstall 3.1.0 63 0 1 3.1.3
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireshark 0.99.4 --> "C:\Program Files\Wireshark\uninstall.exe"
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type881 / Warning
Event Submitted/Written: 11/16/2007 06:46:26 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type880 / Warning
Event Submitted/Written: 11/16/2007 06:35:34 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type879 / Warning
Event Submitted/Written: 11/16/2007 06:23:37 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type878 / Warning
Event Submitted/Written: 11/16/2007 06:04:18 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type877 / Error
Event Submitted/Written: 11/16/2007 06:02:24 PM
Event ID/Source: 4505 / McUpdate
Event Description:
AutoUpdate failed. All the connections failed.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2506 / Warning
Event Submitted/Written: 11/16/2007 06:04:55 PM
Event ID/Source: 11153 / DnsApi
Event Description:
The system failed to register network adapter with settings:

Adapter Name : {302C701B-3E19-4D34-8052-BAF6E502F33E}

Host Name : V89614

Adapter-specific Domain Suffix : frdrmd.adelphia.net

DNS server list :

68.87.73.242, 68.87.71.226

Sent update to server : 24.50.78.2

IP Address(es) :

192.168.1.102

The reason it could not register was because the DNS server refused the
dynamic update request. This could happen for the following reasons:
(a) current DNS update policies do not allow this computer to update
the DNS domain name configured for this adapter, or (b) the authoritative
DNS server for this DNS domain name does not support the DNS dynamic update
protocol.

To register a DNS host (A) resource record using the specific DNS domain
name for this adapter, contact your DNS server or network systems
administrator.

Event Record #/Type2504 / Error
Event Submitted/Written: 11/16/2007 06:03:01 PM
Event ID/Source: 27 / i8042prt
Event Description:
The operation on timed out (time out is configurable via the registry).

Event Record #/Type2503 / Error
Event Submitted/Written: 11/16/2007 06:02:55 PM
Event ID/Source: 27 / i8042prt
Event Description:
The operation on timed out (time out is configurable via the registry).

Event Record #/Type2502 / Warning
Event Submitted/Written: 11/16/2007 06:00:32 PM / 11/16/2007 06:00:59 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type2496 / Warning
Event Submitted/Written: 11/16/2007 07:22:22 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\RGWARD on the network \Device\NetBT_Tcpip_{302C701B-3E19-4D34-8052-BAF6E502F33E}.
The data is the error code.

-- End of Deckard's System Scanner: finished at 2007-11-16 21:22:42 ------------

by **Katana** » November 16th, 2007, 10:53 pm

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Download and Run ComboFix

Download Combofix from one of the two links below and save it to your desktop
Download 1
Download 2
Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision

by **rgward611** » November 17th, 2007, 11:41 am

JRE 6u3 installed.

ComboFix log. I would like to note after reboot and Combofix posting the Notepad log.txt file this error popped up soon thereafter.
"Registry Editor
Cannot import creg.dat: Not all data was successfully written to the Registry. Some keys are open by the system." With OK button as only option. Is this related to the ComboFix execution? Is this expected?

ComboFix 07-11-08.1 - Administrator 11/17/2007 10:17:08.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.687 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\SYSTEM32\ayyxx.ini
C:\WINNT\SYSTEM32\ayyxx.ini2
C:\WINNT\system32\xxyya.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 10:22 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_490.dat
2007-11-17 10:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-16 21:20 <DIR> d-------- C:\Deckard
2007-11-15 21:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 23:32 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-11 18:02 <DIR> d-------- C:\Program Files\McAfee Tools
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 16:25 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-10 13:58 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-10 13:56 <DIR> d-------- C:\VundoFix Backups
2007-11-08 03:00 91,824 --a------ C:\WINNT\SYSTEM32\mskvtns.dll
2007-11-07 22:06 35,328 --a------ C:\WINNT\SYSTEM32\ljjghfe.dll
2007-11-07 22:02 <DIR> d-a------ C:\WINNT\SYSTEM32\Mz02r
2007-11-07 22:02 <DIR> d-------- C:\Temp\mZOr
2007-11-07 22:02 35,328 --------- C:\WINNT\SYSTEM32\byxxxyx.dll
2007-11-04 23:25 11,776 --a------ C:\Documents and Settings\Administrator\wn852.exe
2007-11-04 23:25 0 --a------ C:\pdfview.exe
2007-11-04 23:25 0 --a------ C:\bbzip.exe
2007-10-24 22:11 51,628 --a------ C:\Documents and Settings\Administrator\wn100.exe
2007-10-24 22:11 20,992 --a------ C:\WINNT\r-k.exe
2007-10-18 12:18 20,280 --a------ C:\WINNT\SYSTEM32\DRIVERS\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 15:12 --------- d---a-w C:\Program Files\Java
2007-11-16 12:29 --------- d-----w C:\Program Files\AZZ Cardfile
2007-11-15 00:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-12 01:14 --------- d-----w C:\Program Files\Find Favorites
2007-11-11 19:06 --------- d-----w C:\Program Files\RegCure
2007-11-11 04:06 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 04:06 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-11 00:01 --------- d-----w C:\Program Files\Zinio
2007-10-18 17:16 164 ----a-w C:\install.dat
2007-10-15 03:10 --------- d-----w C:\Program Files\JIGLE-0.7.5
2007-10-15 02:34 --------- d-----w C:\Program Files\MSECache
2007-10-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolarWinds
2007-10-01 20:40 1,526,072 ----a-w C:\WINNT\WRSetup.dll
2007-10-01 20:24 23,864 ----a-w C:\WINNT\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINNT\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINNT\system32\drivers\ssidrv.sys
2007-08-21 17:10 69,632 ----a-w C:\WINNT\SYSTEM32\SWSendSyslog.dll
2007-08-21 17:09 122,880 ----a-w C:\WINNT\SYSTEM32\SWPortScanV1.dll
2007-08-21 17:08 122,880 ----a-w C:\WINNT\SYSTEM32\DirectDNS.dll
2007-08-21 17:05 905,296 ----a-w C:\WINNT\SYSTEM32\SNMPv7.dll
2007-08-19 21:55 93,184 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\OEIMPORT.DLL
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\MSOERT2.DLL
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOERT2.DLL
2007-08-19 21:55 77,824 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WABIMP.DLL
2007-08-19 21:55 75,776 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\DIRECTDB.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\INETCOMM.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\INETCOMM.DLL
2007-08-19 21:55 56,832 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSIMN.EXE
2007-08-19 21:55 55,808 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\OEMIG50.EXE
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\INETRES.DLL
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\INETRES.DLL
2007-08-19 21:55 465,920 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WAB32.DLL
2007-08-19 21:55 42,496 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WAB.EXE
2007-08-19 21:55 31,744 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\OEMIGLIB.DLL
2007-08-19 21:55 30,208 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WABFIND.DLL
2007-08-19 21:55 27,648 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WABMIG.EXE
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\MSOEACCT.DLL
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOEACCT.DLL
2007-08-19 21:55 2,479,616 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOERES.DLL
2007-08-19 21:55 1,176,064 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOE.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\MSIDENT.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSIDENT.DLL
2007-08-17 17:21 132,096 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSRATING.DLL
2007-08-17 17:20 402,944 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\SHLWAPI.DLL
2007-08-17 17:20 143,360 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\CDFVIEW.DLL
2007-08-17 17:20 1,340,416 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\SHDOCVW.DLL
2007-08-17 17:20 1,018,368 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\BROWSEUI.DLL
2007-08-17 15:10 575,488 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WININET.DLL
2007-08-17 15:10 462,336 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\URLMON.DLL
2007-08-17 15:10 12,288 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\JSPROXY.DLL
2007-08-17 15:08 69,632 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\INSENG.DLL
2007-08-17 15:08 498,176 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSTIME.DLL
2007-08-17 15:08 351,744 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\DXTMSFT.DLL
2007-08-17 15:08 34,816 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\PNGFILT.DLL
2007-08-17 15:08 236,032 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\IEPEERS.DLL
2007-08-17 15:07 2,705,408 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSHTML.DLL
2007-08-17 15:07 192,512 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\DXTRANS.DLL
2007-08-17 06:48 448,272 ----a-w C:\WINNT\SYSTEM32\oieng400.dll
2007-08-17 06:48 448,272 ------w C:\WINNT\SYSTEM32\DLLCACHE\oieng400.dll
2007-08-17 06:48 39,184 ----a-w C:\WINNT\SYSTEM32\jpeg2x32.dll
2007-08-17 06:48 39,184 ------w C:\WINNT\SYSTEM32\DLLCACHE\jpeg2x32.dll
2007-08-17 06:48 33,552 ----a-w C:\WINNT\SYSTEM32\tifflt.dll
2007-08-17 06:48 33,552 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\tifflt.dll
2005-12-17 19:30 140,632 -c-ha-w C:\Documents and Settings\Administrator\Application Data\ptads.bin
2003-07-10 05:54 271 -c-ha-w C:\Program Files\DESKTOP.INI
2003-07-10 05:54 21,952 -c-ha-w C:\Program Files\FOLDER.HTT
2003-06-19 23:00 32,528 -c--a-w C:\WINNT\INF\WBFIRDMA.SYS
.

((((((((((((((((((((((((((((( snapshot@Sat 2007-11-10_14.08.30.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-17 14:58:14 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-11-11 04:43:54 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
- 2007-10-15 13:11:21 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
+ 2007-11-12 22:30:22 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
- 2003-12-11 08:02:12 24,670 -c--a-w C:\WINNT\SYSTEM32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINNT\SYSTEM32\java.exe
- 2003-12-11 08:02:12 28,768 -c--a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINNT\SYSTEM32\javaws.exe
- 2006-06-22 18:44:00 2,078,344 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-17 14:26:56 45,218 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2007-07-11 20:22:28 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
+ 2007-11-11 00:54:04 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
- 2007-07-11 20:22:28 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
+ 2007-11-11 00:54:04 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [03-06-10 10:07 ]
"PRPCMonitor"="PRPCUI.exe" [02-10-06 14:00 C:\WINNT\SYSTEM32\prpcui.exe]
"DVDSentry"="C:\WINNT\system32\DSentry.exe" [02-07-16 21:18 ]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [02-12-17 00:14 ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [05-07-29 19:52 ]
"CARPService"="carpserv.exe" [02-10-17 06:54 C:\WINNT\SYSTEM32\carpserv.exe]
"nwiz"="nwiz.exe" [04-10-26 12:01 C:\WINNT\SYSTEM32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINNT\system32\ZCfgSvc.exe" [05-07-05 00:32 ]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [05-06-27 07:31 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-09-12 20:49 ]
"NvCplDaemon"="RUNDLL32.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 ]
"bacstray"="BacsTray.exe" [03-05-14 05:37 C:\WINNT\SYSTEM32\BacsTray.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07-10-01 15:40 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-06-19 21:04:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\xxyya.dll

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINNT\system32\Drivers\SSFS0BB9.SYS
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
R3 GTICARD;GTICARD;C:\WINNT\system32\DRIVERS\gticard.sys
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 w70n5;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows 2000;C:\WINNT\system32\DRIVERS\w70n5.sys
S3 2583;2583;\??\C:\WINNT\system32\2583.sys
S3 2c32;2c32;\??\C:\WINNT\system32\2c32.sys
S3 3f74;3f74;\??\C:\WINNT\system32\3f74.sys
S3 agony;agony;\??\C:\Documents and Settings\Administrator\Desktop\wininit.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 NAL;Nal Service ;\??\C:\WINNT\system32\Drivers\iqvw32.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINNT\system32\NSNDIS5.SYS
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;"C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 15:21:47 C:\WINNT\Tasks\RegCure Program Check.job"
"2007-11-08 11:10:54 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 10:22:11
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-17 10:24:17 - machine was rebooted
C:\ComboFix2.txt ... 07-11-12 10:17
C:\ComboFix3.txt ... 07-11-12 09:10
.
--- E O F ---

by **Katana** » November 17th, 2007, 3:46 pm

To be honest, I have never seen Cannot import creg.dat be reported before ??
Let me know if it happens again

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Documents and Settings\Administrator\wn852.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\Documents and Settings\Administrator\wn100.exe
C:\WINNT\r-k.exe
C:\Documents and Settings\Administrator\Desktop\wininit.sys

If Virustotal is too busy please try Jotti

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=25258&sid=e9edc32274b722c86062e35717489b80&p=238037#p238037

Suspect::[4]
C:\Documents and Settings\Administrator\wn852.exe
C:\Documents and Settings\Administrator\wn100.exe
C:\WINNT\r-k.exe
C:\Documents and Settings\Administrator\Desktop\wininit.sys

File::
C:\WINNT\SYSTEM32\mskvtns.dll
C:\WINNT\SYSTEM32\ljjghfe.dll
C:\WINNT\SYSTEM32\byxxxyx.dll
C:\WINNT\system32\2583.sys
C:\WINNT\system32\2c32.sys
C:\WINNT\system32\3f74.sys

Folder::
C:\WINNT\SYSTEM32\Mz02r
C:\Temp
Driver::
2583
2c32
3f74
agony

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

by **rgward611** » November 17th, 2007, 10:15 pm

Okay. Done as requested to a point. After ComboFix reboot, got same Creg.dat registry error and new window opened noting "additional analysis is required" and to submit recommended .zip file to "http://www.bleepingcomputer.com/pf.php". HTTP request timed out...Cannot find server...The page cannot be displayed.

Here are the results of the files scanned by Virus Total...

File wn852.exe received on 11.17.2007 21:16:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 HEUR/Malware
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 -
AVG 7.5.0.503 2007.11.17 -
BitDefender 7.2 2007.11.17 Trojan.Generic.78636
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.17 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5302 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.17 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 W32/Threat-HLLSI-based!Maximus
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.17 -
Kaspersky 7.0.0.125 2007.11.17 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.17 -
NOD32v2 2665 2007.11.17 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 -
Prevx1 V2 2007.11.17 Heuristic: Suspicious File With Outbound Communications
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 Mal/Heuri-D
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.17 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Heuristic.Malware
Additional information
File size: 11776 bytes
MD5: 6ba606c6012dc7f094ed2d1e9feb1231
SHA1: c148b7e9835ee787998c8633376d39bba951fa73
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00728168C4

File wn100.exe received on 11.18.2007 01:31:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 11/32 (34.38%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 36 and 52 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 Rkit/Agent.NF
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 Win32:Agent-LRU
AVG 7.5.0.503 2007.11.17 Downloader.Generic6.TUQ
BitDefender 7.2 2007.11.18 Trojan.Agent.AFPO
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.18 -
Kaspersky 7.0.0.125 2007.11.18 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 Trojan:Win32/Malagent
NOD32v2 2665 2007.11.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Trj/Agony.B
Prevx1 V2 2007.11.18 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 Mal/Emogen-G
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.18 W32.SillyP2P
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Rootkit.Agent.NF
Additional information
File size: 51628 bytes
MD5: ca97c9a6a7ddb1143ae07cc19756916a
SHA1: f1c170124d6f30377e2ffe6d8c53d7daca93bf0b
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, PE_Patch.UPX, UPX

File r-k.exe received on 11.18.2007 01:47:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/32 (28.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 44 and 63 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 Rkit/Agent.NF
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 Win32:Agent-LRU
AVG 7.5.0.503 2007.11.17 Agent.JGR
BitDefender 7.2 2007.11.18 Trojan.Agent.AFPO
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.18 -
Kaspersky 7.0.0.125 2007.11.18 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 -
NOD32v2 2665 2007.11.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Trj/Agony.B
Prevx1 V2 2007.11.18 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 -
Sunbelt 2.2.907.0 2007.11.17 Trojan.Agent.AFPO
Symantec 10 2007.11.18 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Rootkit.Agent.NF
Additional information
File size: 20992 bytes
MD5: eb3a5a8ea6ea4cdc6f7066a4cedd2f4e
SHA1: 4cd9e8dc5f475d26dc2de90853f0ddd096c52884
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX

File wininit.sys received on 11.18.2007 02:01:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 13/32 (40.63%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 36 and 52 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 Rkit/Agent.NF
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 Win32:Agent-LRU
AVG 7.5.0.503 2007.11.17 Agent.JGS
BitDefender 7.2 2007.11.18 Trojan.Agent.AFPO
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.18 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.18 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 W32/SYStroj.C.gen!Eldorado
F-Secure 6.70.13030.0 2007.11.17 Rootkit.Win32.Agent.nf
Ikarus T3.1.1.12 2007.11.18 Rootkit.Win32.Agent.nf
Kaspersky 7.0.0.125 2007.11.18 Rootkit.Win32.Agent.nf
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.18 -
NOD32v2 2665 2007.11.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 Rootkit/Agony
Prevx1 V2 2007.11.18 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 Troj/RKPort-Fam
Sunbelt 2.2.907.0 2007.11.17 Trojan.Agent.AFPO
Symantec 10 2007.11.18 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 Rootkit.Agent.NF
Additional information
File size: 17664 bytes
MD5: 802fab3318b130f31b60b83b7df650de
SHA1: f3b556ff4ac8b8b1ded58bd6c1444b3c0196c360

Here are the log.txt results of ComboFix using CFScript.txt...

ComboFix 07-11-08.1 - Administrator 11/17/2007 20:50:07.6 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.677 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\WINNT\system32\2583.sys
C:\WINNT\system32\2c32.sys
C:\WINNT\system32\3f74.sys
C:\WINNT\SYSTEM32\byxxxyx.dll
C:\WINNT\SYSTEM32\ljjghfe.dll
C:\WINNT\SYSTEM32\mskvtns.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp
C:\Temp\AirSnare\AirSnare.CAB
C:\Temp\AirSnare\setup.exe
C:\Temp\AirSnare\SETUP.LST
C:\Temp\mZOr\tOasF.log
C:\Temp\Temp\cleanup.log
C:\Temp\Temp\Folders.dbx
C:\Temp\Temp\Inbox.dbx
C:\Temp\Temp\Offline.dbx
C:\Temp\Temp\Outbox.dbx
C:\Temp\Temp\Pop3uidl.dbx
C:\Temp\Temp\Sent Items.dbx
C:\WINNT\SYSTEM32\byxxxyx.dll
C:\WINNT\SYSTEM32\ljjghfe.dll
C:\WINNT\SYSTEM32\mskvtns.dll
C:\WINNT\SYSTEM32\Mz02r

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_2583
-------\LEGACY_2C32
-------\LEGACY_3F74
-------\LEGACY_AGONY
-------\2583
-------\2c32
-------\3f74
-------\agony

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-17 20:53 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_570.dat
2007-11-17 10:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-16 21:20 <DIR> d-------- C:\Deckard
2007-11-15 21:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 23:32 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-11 18:02 <DIR> d-------- C:\Program Files\McAfee Tools
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 16:25 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-10 13:58 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-10 13:56 <DIR> d-------- C:\VundoFix Backups
2007-11-04 23:25 11,776 --a------ C:\Documents and Settings\Administrator\wn852.exe
2007-11-04 23:25 0 --a------ C:\pdfview.exe
2007-11-04 23:25 0 --a------ C:\bbzip.exe
2007-10-24 22:11 51,628 --a------ C:\Documents and Settings\Administrator\wn100.exe
2007-10-24 22:11 20,992 --a------ C:\WINNT\r-k.exe
2007-10-18 12:18 20,280 --a------ C:\WINNT\SYSTEM32\DRIVERS\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 15:12 --------- d---a-w C:\Program Files\Java
2007-11-16 12:29 --------- d-----w C:\Program Files\AZZ Cardfile
2007-11-15 00:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-12 01:14 --------- d-----w C:\Program Files\Find Favorites
2007-11-11 19:06 --------- d-----w C:\Program Files\RegCure
2007-11-11 04:06 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 04:06 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-11 00:01 --------- d-----w C:\Program Files\Zinio
2007-10-18 17:16 164 ----a-w C:\install.dat
2007-10-15 03:10 --------- d-----w C:\Program Files\JIGLE-0.7.5
2007-10-15 02:34 --------- d-----w C:\Program Files\MSECache
2007-10-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolarWinds
2007-10-01 20:40 1,526,072 ----a-w C:\WINNT\WRSetup.dll
2007-10-01 20:24 23,864 ----a-w C:\WINNT\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINNT\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINNT\system32\drivers\ssidrv.sys
2007-08-21 17:10 69,632 ----a-w C:\WINNT\SYSTEM32\SWSendSyslog.dll
2007-08-21 17:09 122,880 ----a-w C:\WINNT\SYSTEM32\SWPortScanV1.dll
2007-08-21 17:08 122,880 ----a-w C:\WINNT\SYSTEM32\DirectDNS.dll
2007-08-21 17:05 905,296 ----a-w C:\WINNT\SYSTEM32\SNMPv7.dll
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\MSOERT2.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\INETCOMM.DLL
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\INETRES.DLL
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\MSOEACCT.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\MSIDENT.DLL
2005-12-17 19:30 140,632 -c-ha-w C:\Documents and Settings\Administrator\Application Data\ptads.bin
2003-07-10 05:54 271 -c-ha-w C:\Program Files\DESKTOP.INI
2003-07-10 05:54 21,952 -c-ha-w C:\Program Files\FOLDER.HTT
2003-06-19 23:00 32,528 -c--a-w C:\WINNT\INF\WBFIRDMA.SYS
.

((((((((((((((((((((((((((((( snapshot@Sat 2007-11-10_14.08.30.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-17 14:58:14 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-11-11 04:43:54 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
- 2007-10-15 13:11:21 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
+ 2007-11-12 22:30:22 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
- 2003-12-11 08:02:12 24,670 -c--a-w C:\WINNT\SYSTEM32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINNT\SYSTEM32\java.exe
- 2003-12-11 08:02:12 28,768 -c--a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINNT\SYSTEM32\javaws.exe
- 2006-06-22 18:44:00 2,078,344 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-17 14:26:56 45,218 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2007-07-11 20:22:28 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
+ 2007-11-11 00:54:04 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
- 2007-07-11 20:22:28 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
+ 2007-11-11 00:54:04 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [03-06-10 10:07 ]
"PRPCMonitor"="PRPCUI.exe" [02-10-06 14:00 C:\WINNT\SYSTEM32\prpcui.exe]
"DVDSentry"="C:\WINNT\system32\DSentry.exe" [02-07-16 21:18 ]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [02-12-17 00:14 ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [05-07-29 19:52 ]
"CARPService"="carpserv.exe" [02-10-17 06:54 C:\WINNT\SYSTEM32\carpserv.exe]
"nwiz"="nwiz.exe" [04-10-26 12:01 C:\WINNT\SYSTEM32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINNT\system32\ZCfgSvc.exe" [05-07-05 00:32 ]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [05-06-27 07:31 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-09-12 20:49 ]
"NvCplDaemon"="RUNDLL32.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [07-10-10 19:51 ]
"bacstray"="BacsTray.exe" [03-05-14 05:37 C:\WINNT\SYSTEM32\BacsTray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07-10-01 15:40 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [03-06-19 18:00 C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-06-19 21:04:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINNT\system32\Drivers\SSFS0BB9.SYS
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
R3 GTICARD;GTICARD;C:\WINNT\system32\DRIVERS\gticard.sys
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 w70n5;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows 2000;C:\WINNT\system32\DRIVERS\w70n5.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 NAL;Nal Service ;\??\C:\WINNT\system32\Drivers\iqvw32.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINNT\system32\NSNDIS5.SYS
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;"C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 01:53:37 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-08 11:10:54 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 20:53:57
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-17 20:56:07 - machine was rebooted
C:\ComboFix2.txt ... 07-11-17 10:24
C:\ComboFix3.txt ... 07-11-12 10:17
.
--- E O F ---

by **rgward611** » November 17th, 2007, 10:21 pm

Oops...spoke too soon. I clicked browser "Back" button and resubmitted file and it worked this time. "Your file was successfully submitted. Please let the user helping you know that you have submitted the file." File submitted=C:\Documents and Settings\Administrator\Desktop.\[4]-Submit_Sat 11-17-2007@20.49.zip

by **Katana** » November 18th, 2007, 8:40 am

Very strange that error report, the registry fix has worked ????
How are things running now ?

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

File::
C:\Documents and Settings\Administrator\wn852.exe
C:\Documents and Settings\Administrator\wn100.exe
C:\WINNT\r-k.exe
C:\Documents and Settings\Administrator\Desktop\wininit.sys

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

by **rgward611** » November 18th, 2007, 1:20 pm

Good to hear the registry fix worked. I notice the problem BHOs are no longer present and that is great! Nice work Katana!!! The system seems to be running much better but my McAfee VirusScan VShield keeps failing on reboots and restarts now.

Here is the latest ComboFix results...received the creg.dat error pop-up twice this time, once soonafter it prompts it is "Almost Done..." and then after it posted the ComboFix.txt file in NotePad. Do you know what the creg.dat is used for or what software it is associated with? I did a Google search and didn't come up with anything. Could this be some residual file deposited by malware?

ComboFix 07-11-08.1 - Administrator 11/18/2007 11:57:26.7 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.712 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

FILE
C:\Documents and Settings\Administrator\Desktop\wininit.sys
C:\Documents and Settings\Administrator\wn100.exe
C:\Documents and Settings\Administrator\wn852.exe
C:\WINNT\r-k.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\wininit.sys
C:\Documents and Settings\Administrator\wn100.exe
C:\Documents and Settings\Administrator\wn852.exe
C:\WINNT\r-k.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 11:57 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_4d8.dat
2007-11-18 10:34 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_60c.dat
2007-11-17 10:11 <DIR> d-------- C:\Program Files\Common Files\Java
2007-11-16 21:20 <DIR> d-------- C:\Deckard
2007-11-15 21:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 23:32 10,872 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-11-11 18:02 <DIR> d-------- C:\Program Files\McAfee Tools
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 16:25 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-10 13:58 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-10 13:56 <DIR> d-------- C:\VundoFix Backups
2007-11-04 23:25 0 --a------ C:\pdfview.exe
2007-11-04 23:25 0 --a------ C:\bbzip.exe
2007-10-18 12:18 20,280 --a------ C:\WINNT\SYSTEM32\DRIVERS\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 15:12 --------- d---a-w C:\Program Files\Java
2007-11-16 12:29 --------- d-----w C:\Program Files\AZZ Cardfile
2007-11-15 00:49 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-12 01:14 --------- d-----w C:\Program Files\Find Favorites
2007-11-11 19:06 --------- d-----w C:\Program Files\RegCure
2007-11-11 04:06 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 04:06 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-11 00:01 --------- d-----w C:\Program Files\Zinio
2007-10-18 17:16 164 ----a-w C:\install.dat
2007-10-15 03:10 --------- d-----w C:\Program Files\JIGLE-0.7.5
2007-10-15 02:34 --------- d-----w C:\Program Files\MSECache
2007-10-12 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\SolarWinds
2007-10-01 20:40 1,526,072 ----a-w C:\WINNT\WRSetup.dll
2007-10-01 20:24 23,864 ----a-w C:\WINNT\system32\drivers\sskbfd.sys
2007-10-01 20:24 21,816 ----a-w C:\WINNT\system32\drivers\sshrmd.sys
2007-10-01 20:24 163,640 ----a-w C:\WINNT\system32\drivers\ssidrv.sys
2007-08-21 17:10 69,632 ----a-w C:\WINNT\SYSTEM32\SWSendSyslog.dll
2007-08-21 17:09 122,880 ----a-w C:\WINNT\SYSTEM32\SWPortScanV1.dll
2007-08-21 17:08 122,880 ----a-w C:\WINNT\SYSTEM32\DirectDNS.dll
2007-08-21 17:05 905,296 ----a-w C:\WINNT\SYSTEM32\SNMPv7.dll
2007-08-19 21:55 93,184 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\OEIMPORT.DLL
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\MSOERT2.DLL
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOERT2.DLL
2007-08-19 21:55 77,824 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WABIMP.DLL
2007-08-19 21:55 75,776 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\DIRECTDB.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\INETCOMM.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\INETCOMM.DLL
2007-08-19 21:55 56,832 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSIMN.EXE
2007-08-19 21:55 55,808 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\OEMIG50.EXE
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\INETRES.DLL
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\INETRES.DLL
2007-08-19 21:55 465,920 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WAB32.DLL
2007-08-19 21:55 42,496 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WAB.EXE
2007-08-19 21:55 31,744 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\OEMIGLIB.DLL
2007-08-19 21:55 30,208 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WABFIND.DLL
2007-08-19 21:55 27,648 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\WABMIG.EXE
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\MSOEACCT.DLL
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOEACCT.DLL
2007-08-19 21:55 2,479,616 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOERES.DLL
2007-08-19 21:55 1,176,064 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSOE.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\MSIDENT.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\DLLCACHE\MSIDENT.DLL
2005-12-17 19:30 140,632 -c-ha-w C:\Documents and Settings\Administrator\Application Data\ptads.bin
2003-07-10 05:54 271 -c-ha-w C:\Program Files\DESKTOP.INI
2003-07-10 05:54 21,952 -c-ha-w C:\Program Files\FOLDER.HTT
2003-06-19 23:00 32,528 -c--a-w C:\WINNT\INF\WBFIRDMA.SYS
.

((((((((((((((((((((((((((((( snapshot@Sat 2007-11-10_14.08.30.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-17 14:58:14 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-11-11 04:43:54 295,606 ----a-r C:\WINNT\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
- 2007-10-15 13:11:21 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
+ 2007-11-12 22:30:22 240,736 ----a-w C:\WINNT\SYSTEM32\FNTCACHE.DAT
- 2003-12-11 08:02:12 24,670 -c--a-w C:\WINNT\SYSTEM32\java.exe
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINNT\SYSTEM32\java.exe
- 2003-12-11 08:02:12 28,768 -c--a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINNT\SYSTEM32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINNT\SYSTEM32\javaws.exe
- 2006-06-22 18:44:00 2,078,344 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-17 14:26:56 45,218 ----a-w C:\WINNT\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
- 2007-07-11 20:22:28 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
+ 2007-11-11 00:54:04 60,388 ----a-w C:\WINNT\SYSTEM32\PERFC009.DAT
- 2007-07-11 20:22:28 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
+ 2007-11-11 00:54:04 389,838 ----a-w C:\WINNT\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 06:00p C:\WINNT\SYSTEM32\MOBSYNC.EXE]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [06/10/03 10:07a]
"PRPCMonitor"="PRPCUI.exe" [10/06/02 02:00p C:\WINNT\SYSTEM32\prpcui.exe]
"DVDSentry"="C:\WINNT\system32\DSentry.exe" [07/16/02 09:18p]
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" [12/17/02 12:14a]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [07/29/05 07:52p]
"CARPService"="carpserv.exe" [10/17/02 06:54a C:\WINNT\SYSTEM32\carpserv.exe]
"nwiz"="nwiz.exe" [10/26/04 12:01p C:\WINNT\SYSTEM32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINNT\system32\ZCfgSvc.exe" [07/05/05 12:32a]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [06/27/05 07:31a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/12/05 08:49p]
"NvCplDaemon"="RUNDLL32.exe" [06/19/03 06:00p C:\WINNT\SYSTEM32\RUNDLL32.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/07 07:51p]
"bacstray"="BacsTray.exe" [05/14/03 05:37a C:\WINNT\SYSTEM32\BacsTray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/07 01:11a]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/07 03:40p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Internat.exe"="internat.exe" [06/19/03 06:00p C:\WINNT\SYSTEM32\INTERNAT.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-06-19 21:04:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"=0 (0x0)
"Btn_Search"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINNT\system32\Drivers\SSFS0BB9.SYS
R1 cdudf;cdudf;C:\WINNT\system32\drivers\cdudf.sys
R1 UdfReadr;UdfReadr;C:\WINNT\system32\drivers\UdfReadr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
R2 BASFND;BASFND;\??\C:\WINNT\system32\Drivers\BASFND.sys
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
R3 GTICARD;GTICARD;C:\WINNT\system32\DRIVERS\gticard.sys
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 w70n5;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows 2000;C:\WINNT\system32\DRIVERS\w70n5.sys
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 NAL;Nal Service ;\??\C:\WINNT\system32\Drivers\iqvw32.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINNT\system32\NSNDIS5.SYS
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;"C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe"

.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 15:33:30 C:\WINNT\Tasks\RegCure Program Check.job"
"2007-11-08 11:10:54 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 11:59:27
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 11/18/2007 12:00:02
C:\ComboFix2.txt ... 11/17/07 08:56p
C:\ComboFix3.txt ... 11/17/07 10:24a
.
--- E O F ---

by **Katana** » November 18th, 2007, 2:20 pm

Do you know what the creg.dat is used for or what software it is associated with? I did a Google search and didn't come up with anything. Could this be some residual file deposited by malware?

Creg.dat is part of ComboFix, it is perfectly safe

All this means is that for some reason it is having trouble accessing the registry

TotalScan

Please go to this site Link >> TotalScan << LINK

Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

by **rgward611** » November 18th, 2007, 7:14 pm

Here is the TotalScan Results...

;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-11-18 18:08:56
PROTECTIONS: 1
MALWARE: 14
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan 4.5.1 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00000431 adware/ist.istbar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\istsvc
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00039204 adware/cws Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\start page_bak
00040297 adware/blazefind Adware No 0 Yes No c:\winnt\key2.txt
00193807 dialer.bny Dialers No 0 Yes No c:\winnt\pcconfig.dat
00527848 Trj/Cimuz.Gen Virus/Trojan No 1 Yes No C:\qoobox\Quarantine\C\WINNT\SYSTEM32\mskvtns.dll.vir
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Downloads\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Downloads\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINNT\NirCmd.exe
02517202 Trj/Agony.B Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\Documents and Settings\Administrator\wn100.exe.vir
02517202 Trj/Agony.B Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Desktop\[4]-Submit_Sat 11-17-2007@20.49.zip[wn100.exe.vir]
02517203 Trj/Agony.B Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Desktop\[4]-Submit_Sat 11-17-2007@20.49.zip[r-k.exe.vir]
02517203 Trj/Agony.B Virus/Trojan No 0 Yes No C:\qoobox\Quarantine\C\WINNT\r-k.exe.vir
02517204 Rootkit/Agony HackTools No 0 Yes No C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\wininit.sys.vir
02517204 Rootkit/Agony HackTools No 0 Yes No C:\Documents and Settings\Administrator\Desktop\[4]-Submit_Sat 11-17-2007@20.49.zip[wininit.sys.vir]
02670454 Adware/Yazzle Adware No 0 Yes No C:\qoobox\Quarantine\C\WINNT\SYSTEM32\r2\wr31drs.exe.vir
02680439 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\qoobox\Quarantine\C\WINNT\xlavba8.exe.vir
02680439 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\qoobox\Quarantine\C\WINNT\xlavba6.exe.vir
02681224 Adware/BraveSentry Adware No 0 Yes No C:\qoobox\Quarantine\C\WINNT\wbrea.exe.vir
02698365 Trj/Keylog.MN Virus/Trojan No 1 Yes No C:\qoobox\Quarantine\C\WINNT\wesre.exe.vir
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Free Malware Removal Forum

Problem running HiJackthis

Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Re: Problem running HiJackthis

Who is online