My PC Hell Forum

Windows XP Assistance => Security-Virus/Spyware => : dingofix August 20, 2007, 04:02:02 PM


: lsasddr.dll
: dingofix August 20, 2007, 04:02:02 PM
My norton is coming up with lsasddr.dll as a trojan adclicker (annoying as hell); however when i attempt to remove it, it says its being used by another program, user yada yada.  how can i get rid of this file and how can i track which program is using it.

: Re: lsasddr.dll
: Squeezebox August 20, 2007, 04:43:56 PM
Start in Safe Mode, then run Norton - see if that makes a difference.

: Re: lsasddr.dll
: Essexboy August 20, 2007, 06:06:25 PM
That may only be the tip of the iceberg.  I would recommend the following

 Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

On completion of running Combofix then

* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Post both logs back here

: Re: lsasddr.dll
: dingofix August 21, 2007, 11:08:47 AM
Well Damn @ lenght of logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:13 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.tt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {293f4892-53bb-4961-9857-598936625276} - C:\WINDOWS\system32\lsasddr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\lsasddr.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\lsasddr.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sastre\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9CDDD774-0E1E-49E3-91C6-F2D49949CF5D} (DictAideOE.ctlDictaideOE) - https://hcp.dictaide.com/OE3202.CAB
O16 - DPF: {D7107300-E42A-4C1C-84EB-4D783E58B88D} (DNInstallerOCX Class) - https://mq1webc2.speechmachines.org/Installer/InstallerOCX.cab
O16 - DPF: {D9E4E21E-60E0-11DA-91EB-00123F33E209} (DNInstallerOCX Class) - https://mq1webc2.speechmachines.org/Installer/DNInstaller2.cab
O20 - Winlogon Notify: lsasddr - C:\WINDOWS\SYSTEM32\lsasddr.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6518 bytes

____________________________________________________________________________________________

ComboFix 07-08-17.2 - "Sastre" 2007-08-21 10:28:10.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.148 [GMT -4:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Sastre\APPLIC~1\tmp109.tmp.exe
C:\DOCUME~1\Sastre\APPLIC~1\tmp10C.tmp.exe
C:\DOCUME~1\Sastre\APPLIC~1\tmp12.tmp.exe
C:\WINDOWS\system32\dn9c906e88.dat
C:\WINDOWS\system32\eNd6GsmI.exe
C:\WINDOWS\system32\gebcayy.dll
C:\WINDOWS\system32\X616Tj58.exe
C:\WINDOWS\Tasks.\At25.job
C:\WINDOWS\Tasks.\At26.job
C:\WINDOWS\Tasks.\At27.job
C:\WINDOWS\Tasks.\At28.job
C:\WINDOWS\Tasks.\At29.job
C:\WINDOWS\Tasks.\At30.job
C:\WINDOWS\Tasks.\At31.job
C:\WINDOWS\Tasks.\At32.job
C:\WINDOWS\Tasks.\At33.job
C:\WINDOWS\Tasks.\At34.job
C:\WINDOWS\Tasks.\At35.job
C:\WINDOWS\Tasks.\At36.job
C:\WINDOWS\Tasks.\At37.job
C:\WINDOWS\Tasks.\At38.job
C:\WINDOWS\Tasks.\At39.job
C:\WINDOWS\Tasks.\At40.job
C:\WINDOWS\Tasks.\At41.job
C:\WINDOWS\Tasks.\At42.job
C:\WINDOWS\Tasks.\At43.job
C:\WINDOWS\Tasks.\At44.job
C:\WINDOWS\Tasks.\At45.job
C:\WINDOWS\Tasks.\At46.job
C:\WINDOWS\Tasks.\At47.job
C:\WINDOWS\Tasks.\At48.job
C:\WINDOWS\Tasks.\At73.job
C:\WINDOWS\Tasks.\At74.job
C:\WINDOWS\Tasks.\At75.job
C:\WINDOWS\Tasks.\At76.job
C:\WINDOWS\Tasks.\At77.job
C:\WINDOWS\Tasks.\At78.job
C:\WINDOWS\Tasks.\At79.job
C:\WINDOWS\Tasks.\At80.job
C:\WINDOWS\Tasks.\At81.job
C:\WINDOWS\Tasks.\At82.job
C:\WINDOWS\Tasks.\At83.job
C:\WINDOWS\Tasks.\At84.job
C:\WINDOWS\Tasks.\At85.job
C:\WINDOWS\Tasks.\At86.job
C:\WINDOWS\Tasks.\At87.job
C:\WINDOWS\Tasks.\At88.job
C:\WINDOWS\Tasks.\At89.job
C:\WINDOWS\Tasks.\At90.job
C:\WINDOWS\Tasks.\At91.job
C:\WINDOWS\Tasks.\At92.job
C:\WINDOWS\Tasks.\At93.job
C:\WINDOWS\Tasks.\At94.job
C:\WINDOWS\Tasks.\At95.job
C:\WINDOWS\Tasks.\At96.job


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


(((((((((((((((((((((((((   Files Created from 2007-07-21 to 2007-08-21  )))))))))))))))))))))))))))))))


2007-08-21 10:27   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-20 11:01   225,280   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-17 22:20   <DIR>   d--------   C:\WINDOWS\pss
2007-08-15 08:22   <DIR>   d--------   C:\Program Files\ScanSpyware v3.8.0.4
2007-08-14 21:21   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 19:08   92,730   ---------   C:\WINDOWS\system32\lsasddr.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 19:48   ---------   d--------   C:\DOCUME~1\Sastre\APPLIC~1\IMVU
2007-08-20 19:10   ---------   d--------   C:\Program Files\DocQscribe
2007-08-20 19:08   ---------   d--------   C:\Program Files\QLEDR05
2007-08-20 10:57   ---------   d--------   C:\Program Files\Norton AntiVirus
2007-08-20 09:48   ---------   d--------   C:\Program Files\Warcraft III
2007-08-19 13:33   ---------   d--------   C:\DOCUME~1\Sastre\APPLIC~1\BitTorrent
2007-08-17 05:49   ---------   d--------   C:\Program Files\Common Files\Symantec Shared
2007-08-17 05:42   ---------   d--------   C:\Program Files\Symantec
2007-08-16 23:46   ---------   d--------   C:\Program Files\IMVU
2007-08-03 18:19   ---------   d--------   C:\Program Files\SymNetDrv
2007-07-23 18:37   ---------   d--------   C:\DOCUME~1\Sastre\APPLIC~1\LimeWire
2007-07-12 10:00   ---------   d--------   C:\Program Files\Ares
2007-07-10 17:32   ---------   d--------   C:\Program Files\eMule
2007-07-08 01:12   4608   --a------   C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-07-08 01:10   ---------   d--------   C:\Program Files\K-Lite Codec Pack
2007-06-28 11:26   ---------   d--------   C:\Program Files\Yahoo!
2007-06-27 19:50   ---------   d--------   C:\Program Files\GAMES


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{293f4892-53bb-4961-9857-598936625276}]
2007-08-04 19:08   92730   ---------   C:\WINDOWS\system32\lsasddr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-04-13 12:49]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-08-17 05:41]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"VTTimer"="VTTimer.exe" [2005-03-07 15:33 C:\WINDOWS\system32\VTTimer.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" []
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2007-04-13 12:49]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-30 01:16 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lsasddr]
lsasddr.dll 2007-08-04 19:08 92730 C:\WINDOWS\system32\lsasddr.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2dd4e72-9f9a-11db-8909-0016179b061b}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe


Contents of the 'Scheduled Tasks' folder
2007-08-21 13:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 14:00:00 C:\WINDOWS\Tasks\At11.job
2007-08-20 15:00:00 C:\WINDOWS\Tasks\At12.job
2007-08-19 16:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-19 17:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-19 18:00:02 C:\WINDOWS\Tasks\At15.job
2007-08-19 19:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-19 20:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-20 21:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-20 22:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-20 23:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 00:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 01:00:00 C:\WINDOWS\Tasks\At22.job
2007-08-21 02:00:00 C:\WINDOWS\Tasks\At23.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 03:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 06:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 07:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 04:00:00 C:\WINDOWS\Tasks\At49.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 08:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 05:00:00 C:\WINDOWS\Tasks\At50.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 06:00:00 C:\WINDOWS\Tasks\At51.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 07:00:00 C:\WINDOWS\Tasks\At52.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 08:00:01 C:\WINDOWS\Tasks\At53.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 09:00:00 C:\WINDOWS\Tasks\At54.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 10:00:00 C:\WINDOWS\Tasks\At55.job
2007-08-21 11:00:00 C:\WINDOWS\Tasks\At56.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 12:00:01 C:\WINDOWS\Tasks\At57.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 13:00:00 C:\WINDOWS\Tasks\At58.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 14:00:00 C:\WINDOWS\Tasks\At59.job
2007-08-21 09:00:00 C:\WINDOWS\Tasks\At6.job
2007-08-20 15:00:00 C:\WINDOWS\Tasks\At60.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-19 16:00:00 C:\WINDOWS\Tasks\At61.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-19 17:00:00 C:\WINDOWS\Tasks\At62.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-19 18:00:03 C:\WINDOWS\Tasks\At63.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-19 19:00:00 C:\WINDOWS\Tasks\At64.job
2007-08-19 20:00:00 C:\WINDOWS\Tasks\At65.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-20 21:00:00 C:\WINDOWS\Tasks\At66.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-20 22:00:00 C:\WINDOWS\Tasks\At67.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-20 23:00:00 C:\WINDOWS\Tasks\At68.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 00:00:00 C:\WINDOWS\Tasks\At69.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 10:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 01:00:00 C:\WINDOWS\Tasks\At70.job
2007-08-21 02:00:00 C:\WINDOWS\Tasks\At71.job
2007-08-21 03:00:00 C:\WINDOWS\Tasks\At72.job - C:\WINDOWS\system32\Uf8tJN4K.exe
2007-08-21 11:00:00 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-21 12:00:01 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\system32\Xi3EouL1.exe
2007-08-20 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Sastre.job - C:\PROGRA~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 10:46:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-21 10:48:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 10:48

   --- E O F ---

: Re: lsasddr.dll
: Essexboy August 21, 2007, 02:26:14 PM
Not a pretty sight so lets get to work at cleaning you out

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {293f4892-53bb-4961-9857-598936625276} - C:\WINDOWS\system32\lsasddr.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\lsasddr.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\lsasddr.dll
O16 - DPF: {D7107300-E42A-4C1C-84EB-4D783E58B88D} (DNInstallerOCX Class) - https://mq1webc2.speechmachines.org/Installer/InstallerOCX.cab
O16 - DPF: {D9E4E21E-60E0-11DA-91EB-00123F33E209} (DNInstallerOCX Class) - https://mq1webc2.speechmachines.org/Installer/DNInstaller2.cab
O20 - Winlogon Notify: lsasddr - C:\WINDOWS\SYSTEM32\lsasddr.dll

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.

________________________________

Please download the OTMoveIt by OldTimer (http://"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe").
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\lsasddr.dll
    C:\WINDOWS\system32\Xi3EouL1.exe
    C:\WINDOWS\system32\Uf8tJN4K.exe
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At49.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At50.job
    C:\WINDOWS\Tasks\At51.job
    C:\WINDOWS\Tasks\At52.job
    C:\WINDOWS\Tasks\At53.job
    C:\WINDOWS\Tasks\At54.job
    C:\WINDOWS\Tasks\At55.job
    C:\WINDOWS\Tasks\At56.job
    C:\WINDOWS\Tasks\At57.job
    C:\WINDOWS\Tasks\At58.jobe
    C:\WINDOWS\Tasks\At59.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At60.job
    C:\WINDOWS\Tasks\At61.job
    C:\WINDOWS\Tasks\At62.job
    C:\WINDOWS\Tasks\At63.job
    C:\WINDOWS\Tasks\At64.job
    C:\WINDOWS\Tasks\At65.job
    C:\WINDOWS\Tasks\At66.job
    C:\WINDOWS\Tasks\At67.job
    C:\WINDOWS\Tasks\At68.job
    C:\WINDOWS\Tasks\At69.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At70.job
    C:\WINDOWS\Tasks\At71.job
    C:\WINDOWS\Tasks\At72.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At9.job

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
[color="#ff0000"]*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes[/color].
[color="green"]**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")[/color]

Click "Exit" to close OTMoveIt.

______________________________________

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

First we must back up the entire registry.To do this

REGISTRY BACKUP

Go START > RUN and type in REGEDIT then press your enter key.
When Regedit is open ensure that 'my computer' is highlighted in the left pane.
Go to FILE and select EXPORT.
Check the 'all' button at the bottom of the screen to backup the entire registry.
You will need to select a location to save the exported registry (it will be saved as a single file) I would suggest the Desktop
Choose the FILE NAME as Oldreg
In the drop down box called SAVE AS TYPE select registration files (*.reg).
Then click SAVE
This will create a file on your desktop called Oldreg.reg  (http://img127.imageshack.us/img127/433/regtg8.jpg)

REGISTRY FIX
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2dd4e72-9f9a-11db-8909-0016179b061b}]



Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4. and line after the last data line
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop (http://img127.imageshack.us/img127/433/regtg8.jpg)

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

__________________________________

Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe)  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

: Re: lsasddr.dll
: Essexboy August 21, 2007, 02:27:10 PM
Also did you purchase or download this programme

ScanSpyware v3.8.0.4

: Re: lsasddr.dll
: dingofix August 24, 2007, 10:38:12 AM
Work can be so bothersome at times.  Anyways, my logs

LoadLibrary failed for C:\WINDOWS\system32\lsasddr.dll
C:\WINDOWS\system32\lsasddr.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\lsasddr.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\Xi3EouL1.exe not found.
File/Folder C:\WINDOWS\system32\Uf8tJN4K.exe not found.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At49.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At50.job moved successfully.
C:\WINDOWS\Tasks\At51.job moved successfully.
C:\WINDOWS\Tasks\At52.job moved successfully.
C:\WINDOWS\Tasks\At53.job moved successfully.
C:\WINDOWS\Tasks\At54.job moved successfully.
C:\WINDOWS\Tasks\At55.job moved successfully.
C:\WINDOWS\Tasks\At56.job moved successfully.
C:\WINDOWS\Tasks\At57.job moved successfully.
C:\WINDOWS\Tasks\At58.job moved successfully.
C:\WINDOWS\Tasks\At59.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At60.job moved successfully.
C:\WINDOWS\Tasks\At61.job moved successfully.
C:\WINDOWS\Tasks\At62.job moved successfully.
C:\WINDOWS\Tasks\At63.job moved successfully.
C:\WINDOWS\Tasks\At64.job moved successfully.
C:\WINDOWS\Tasks\At65.job moved successfully.
C:\WINDOWS\Tasks\At66.job moved successfully.
C:\WINDOWS\Tasks\At67.job moved successfully.
C:\WINDOWS\Tasks\At68.job moved successfully.
C:\WINDOWS\Tasks\At69.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At70.job moved successfully.
C:\WINDOWS\Tasks\At71.job moved successfully.
C:\WINDOWS\Tasks\At72.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
 
Created on 08/22/2007 11:05:02



: Re: lsasddr.dll
: dingofix August 24, 2007, 10:44:11 AM
Thanks to the moderate for the help lsasddr.dll is no longer annoying, might still be there and dangerous but not annoying

WinPFind3 logfile created on: 8/22/2007 11:18:44 AM
WinPFind3U by OldTimer - Version 1.0.39   Folder = C:\Documents and Settings\Sastre\Desktop\clean up\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
 
447.48 Mb Total Physical Memory | 185.13 Mb Available Physical Memory | 41.37% Memory free
1.03 Gb Paging File | 0.84 Gb Available in Paging File | 81.19% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 80.00 Gb Total Space | 8.30 Gb Free Space | 10.37% Space Free
D: Drive not present or media not loaded
Drive E: | 106.30 Gb Total Space | 64.42 Gb Free Space | 60.60% Space Free
F: Drive not present or media not loaded

Computer Name: BUCK1
Current User Name: Sastre
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 7/25/2006 6:03:44 PM | Attr =    ]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 58984 bytes | Modified Date = 1/9/2007 5:32:02 PM | Attr =    ]
ccevtmgr.exe -> %CommonProgramFiles%\Symantec Shared\CCEVTMGR.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 198248 bytes | Modified Date = 1/9/2007 5:32:02 PM | Attr =    ]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\CCSETMGR.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 181864 bytes | Modified Date = 1/9/2007 5:32:04 PM | Attr =    ]
navapsvc.exe -> %ProgramFiles%\Norton AntiVirus\NAVAPSVC.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 177264 bytes | Modified Date = 1/10/2005 12:20:22 PM | Attr =    ]
nerocheck.exe -> %System32%\NeroCheck.exe ->  [Ver =  | Size = 53267 bytes | Modified Date = 4/13/2007 12:49:48 PM | Attr =    ]
npfmntor.exe -> %ProgramFiles%\Norton AntiVirus\IWP\NPFMNTOR.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 46704 bytes | Modified Date = 1/10/2005 12:20:42 PM | Attr =    ]
sndsrvc.exe -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.6.604 | Size = 206552 bytes | Modified Date = 3/28/2007 6:41:56 PM | Attr =    ]
spbbcsvc.exe -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Modified Date = 7/21/2004 5:24:04 PM | Attr =    ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 419 | Size = 817304 bytes | Modified Date = 7/8/2007 1:13:00 AM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\clean up\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr =    ]
yahoomessenger.exe -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,402 | Size = 4670968 bytes | Modified Date = 6/11/2007 6:16:12 PM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(AresChatServer) Ares Chatroom server [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Ares\chatServer.exe -> Ares Development Group [Ver = 2.0.5.3027 | Size = 263168 bytes | Modified Date = 2/6/2007 9:39:26 PM | Attr =    ]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 7/25/2006 6:03:44 PM | Attr =    ]
(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCEVTMGR.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 198248 bytes | Modified Date = 1/9/2007 5:32:02 PM | Attr =    ]
(ccPwdSvc) Symantec Password Validation [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\CCPWDSVC.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 79464 bytes | Modified Date = 1/9/2007 5:32:04 PM | Attr =    ]
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSETMGR.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 181864 bytes | Modified Date = 1/9/2007 5:32:04 PM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 12:56:50 AM | Attr =    ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> Symantec Corporation [Ver = 3.0.0.171 | Size = 2119360 bytes | Modified Date = 7/25/2006 6:03:44 PM | Attr =    ]
(navapsvc) Norton AntiVirus Auto-Protect Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\NAVAPSVC.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 177264 bytes | Modified Date = 1/10/2005 12:20:22 PM | Attr =    ]
(NPFMntor) Norton AntiVirus Firewall Monitor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\IWP\NPFMNTOR.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 46704 bytes | Modified Date = 1/10/2005 12:20:42 PM | Attr =    ]
(SAVScan) SAVScan [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Norton AntiVirus\SAVSCAN.EXE -> Symantec Corporation [Ver = 9.4.1.10 | Size = 198368 bytes | Modified Date = 12/10/2004 1:00:50 PM | Attr =    ]
(SBService) ScriptBlocking Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBSERV.EXE -> Symantec Corporation [Ver = 11.0.9.16 | Size = 67184 bytes | Modified Date = 1/10/2005 12:20:48 PM | Attr =    ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.5.6.604 | Size = 206552 bytes | Modified Date = 3/28/2007 6:41:56 PM | Attr =    ]
(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Modified Date = 7/21/2004 5:24:04 PM | Attr =    ]
(Symantec Core LC) Symantec Core LC [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 419 | Size = 817304 bytes | Modified Date = 7/8/2007 1:13:00 AM | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
AudioDeck -> %ProgramFiles%\VIAudioi\SBADeck\ADeck.exe -> File not found
ccApp -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE -> Symantec Corporation [Ver = 103.0.9.2 | Size = 58984 bytes | Modified Date = 1/9/2007 5:32:02 PM | Attr =    ]
NeroFilterCheck -> %System32%\NeroCheck.exe ->  [Ver =  | Size = 53267 bytes | Modified Date = 4/13/2007 12:49:48 PM | Attr =    ]
RaidTool -> %ProgramFiles%\VIA\RAID\raid_tool.exe ->  [Ver =  | Size = 53267 bytes | Modified Date = 4/13/2007 12:49:48 PM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> File not found
Symantec NetDriver Monitor -> %ProgramFiles%\SymNetDrv\SNDMon.exe -> Symantec Corporation [Ver = 5.5.6.604 | Size = 100056 bytes | Modified Date = 8/17/2007 5:41:36 AM | Attr =    ]
VTTimer -> %System32%\VTTimer.exe -> S3 Graphics, Inc. [Ver = 2.00.01-0307 | Size = 53248 bytes | Modified Date = 3/7/2005 3:33:28 PM | Attr = R  ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,402 | Size = 4670968 bytes | Modified Date = 6/11/2007 6:16:12 PM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
lsasddr -> lsasddr.dll -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.google.tt/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.9.0.2004090100 | Size = 58528 bytes | Modified Date = 9/1/2004 1:43:30 AM | Attr =    ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Data - Value does not exist] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 440056 bytes | Modified Date = 11/9/2006 3:21:52 PM | Attr =    ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{BDF3E430-B101-42AD-A544-FADC6B084872} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVSHEXT.DLL [CNavExtBho Class] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr =    ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr =    ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr =    ]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVSHEXT.DLL [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.9.16 | Size = 218736 bytes | Modified Date = 1/10/2005 12:20:36 PM | Attr =    ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{9455301C-CF6B-11D3-A266-00C04F689C50} -> Reg Data - Value does not exist [ButtonText: Researcher] -> File not found
{B205A35E-1FC4-4CE3-818B-899DBBB3388C} [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
{d9288080-1baa-4bc4-9cf8-a92d743db949} -> %SystemDrive%\Documents and Settings\Sastre\Start Menu\Programs\IMVU\Run IMVU.lnk [ButtonText: Run IMVU] ->  [Ver =  | Size = 1540 bytes | Modified Date = 8/5/2007 3:53:26 AM | Attr =    ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel ->  -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 ->  ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{AF533E7F-AF15-4EC1-B6CF-36492627C37F} ->    (VIA Rhine II Fast Ethernet Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> %System32%\lsasddr.dll -> File not found
msdaipp -> %System32%\lsasddr.dll -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{9CDDD774-0E1E-49E3-91C6-F2D49949CF5D} -> DictAideOE.ctlDictaideOE - CodeBase = https://hcp.dictaide.com/OE3202.CAB ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{D7107300-E42A-4C1C-84EB-4D783E58B88D} -> DNInstallerOCX Class - CodeBase = https://mq1webc2.speechmachines.org/Installer/InstallerOCX.cab ->
{D9E4E21E-60E0-11DA-91EB-00123F33E209} -> DNInstallerOCX Class - CodeBase = https://mq1webc2.speechmachines.org/Installer/DNInstaller2.cab ->


: Re: lsasddr.dll
: dingofix August 24, 2007, 10:48:39 AM

[Files/Folders - Created Within 30 days]
boot.ini.cf -> %SystemDrive%\boot.ini.cf ->  [Ver =  | Size = 211 bytes | Created Date = 8/21/2007 10:30:00 AM | Attr =  HS]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 8/21/2007 10:27:14 AM | Attr =    ]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Created Date = 8/17/2007 5:41:12 AM | Attr =  HS]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 8/21/2007 10:29:38 AM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 8/22/2007 11:05:01 AM | Attr =    ]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 109056 bytes | Created Date = 8/21/2007 10:27:18 AM | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 8/21/2007 10:28:06 AM | Attr =    ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 8/21/2007 10:27:18 AM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Created Date = 8/17/2007 10:20:58 PM | Attr =    ]
temp -> %SystemRoot%\temp ->  [Folder | Created Date = 8/21/2007 10:49:01 AM | Attr =    ]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 166 bytes | Created Date = 8/14/2007 10:50:05 PM | Attr =    ]
At100.job -> %SystemRoot%\tasks\At100.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At101.job -> %SystemRoot%\tasks\At101.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At102.job -> %SystemRoot%\tasks\At102.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At103.job -> %SystemRoot%\tasks\At103.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At104.job -> %SystemRoot%\tasks\At104.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At105.job -> %SystemRoot%\tasks\At105.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At106.job -> %SystemRoot%\tasks\At106.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At107.job -> %SystemRoot%\tasks\At107.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At108.job -> %SystemRoot%\tasks\At108.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At109.job -> %SystemRoot%\tasks\At109.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At110.job -> %SystemRoot%\tasks\At110.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At111.job -> %SystemRoot%\tasks\At111.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At112.job -> %SystemRoot%\tasks\At112.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At113.job -> %SystemRoot%\tasks\At113.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At114.job -> %SystemRoot%\tasks\At114.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At115.job -> %SystemRoot%\tasks\At115.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At116.job -> %SystemRoot%\tasks\At116.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At117.job -> %SystemRoot%\tasks\At117.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At118.job -> %SystemRoot%\tasks\At118.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At119.job -> %SystemRoot%\tasks\At119.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At120.job -> %SystemRoot%\tasks\At120.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At97.job -> %SystemRoot%\tasks\At97.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At98.job -> %SystemRoot%\tasks\At98.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
At99.job -> %SystemRoot%\tasks\At99.job ->  [Ver =  | Size = 350 bytes | Created Date = 8/21/2007 12:04:01 PM | Attr =    ]
2XHEIsXv.exe -> %System32%\2XHEIsXv.exe ->  [Ver =  | Size = 26176 bytes | Created Date = 8/21/2007 12:03:59 PM | Attr =    ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 8/21/2007 10:27:18 AM | Attr =    ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 8/21/2007 10:27:18 AM | Attr =    ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 8/21/2007 10:27:18 AM | Attr =    ]
vfind.exe -> %System32%\vfind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 8/21/2007 10:27:18 AM | Attr =    ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 211 bytes | Modified Date = 8/20/2007 4:14:58 PM | Attr =  HS]
boot.ini.cf -> %SystemDrive%\boot.ini.cf ->  [Ver =  | Size = 211 bytes | Modified Date = 8/20/2007 4:14:58 PM | Attr =  HS]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 8/21/2007 10:49:18 AM | Attr =    ]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 8/17/2007 5:49:46 AM | Attr =  HS]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 8/20/2007 11:01:24 AM | Attr =    ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 8/22/2007 11:06:40 AM | Attr = R  ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 8/21/2007 10:29:40 AM | Attr =    ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 8/14/2007 6:36:12 PM | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 8/21/2007 10:49:02 AM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 8/22/2007 11:05:02 AM | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 8/22/2007 11:06:34 AM | Attr =   S]
entpack.ini -> %SystemRoot%\entpack.ini ->  [Ver =  | Size = 2026 bytes | Modified Date = 8/6/2007 5:10:32 PM | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 8/21/2007 10:30:02 AM | Attr =    ]
FUJIGOLF.INI -> %SystemRoot%\FUJIGOLF.INI ->  [Ver =  | Size = 213 bytes | Modified Date = 8/6/2007 5:18:18 PM | Attr =    ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 8/17/2007 5:41:36 AM | Attr =  HS]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 8/11/2007 5:04:02 AM | Attr =    ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 116 bytes | Modified Date = 8/3/2007 8:27:28 AM | Attr =    ]
popcinfo.dat -> %SystemRoot%\popcinfo.dat ->  [Ver =  | Size = 10 bytes | Modified Date = 8/22/2007 10:41:24 AM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 8/22/2007 11:16:02 AM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 8/17/2007 10:23:16 PM | Attr =    ]
SORW.bkm -> %SystemRoot%\SORW.bkm ->  [Ver =  | Size = 10 bytes | Modified Date = 8/10/2007 3:44:38 PM | Attr =    ]
SPTH.bkm -> %SystemRoot%\SPTH.bkm ->  [Ver =  | Size = 10 bytes | Modified Date = 8/15/2007 6:25:36 PM | Attr =    ]
SYMGAMES.INI -> %SystemRoot%\SYMGAMES.INI ->  [Ver =  | Size = 44 bytes | Modified Date = 8/6/2007 5:26:50 PM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 8/20/2007 4:14:58 PM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 8/22/2007 11:06:32 AM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 8/22/2007 11:12:20 AM | Attr =   S]
temp -> %SystemRoot%\temp ->  [Folder | Modified Date = 8/22/2007 11:12:08 AM | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 624 bytes | Modified Date = 8/20/2007 4:14:58 PM | Attr =    ]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 166 bytes | Modified Date = 8/18/2007 8:09:52 AM | Attr =    ]
At100.job -> %SystemRoot%\tasks\At100.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 3:03:02 AM | Attr =    ]
At101.job -> %SystemRoot%\tasks\At101.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 4:03:02 AM | Attr =    ]
At102.job -> %SystemRoot%\tasks\At102.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 5:03:02 AM | Attr =    ]
At103.job -> %SystemRoot%\tasks\At103.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 6:03:02 AM | Attr =    ]
At104.job -> %SystemRoot%\tasks\At104.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 7:03:02 AM | Attr =    ]
At105.job -> %SystemRoot%\tasks\At105.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 8:03:02 AM | Attr =    ]
At106.job -> %SystemRoot%\tasks\At106.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 9:03:16 AM | Attr =    ]
At107.job -> %SystemRoot%\tasks\At107.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 10:03:06 AM | Attr =    ]
At108.job -> %SystemRoot%\tasks\At108.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 11:03:02 AM | Attr =    ]
At109.job -> %SystemRoot%\tasks\At109.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 12:04:02 PM | Attr =    ]
At110.job -> %SystemRoot%\tasks\At110.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 1:01:02 PM | Attr =    ]
At111.job -> %SystemRoot%\tasks\At111.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 2:01:02 PM | Attr =    ]
At112.job -> %SystemRoot%\tasks\At112.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 3:01:02 PM | Attr =    ]
At113.job -> %SystemRoot%\tasks\At113.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 4:01:02 PM | Attr =    ]
At114.job -> %SystemRoot%\tasks\At114.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 5:01:02 PM | Attr =    ]
At115.job -> %SystemRoot%\tasks\At115.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 6:01:02 PM | Attr =    ]
At116.job -> %SystemRoot%\tasks\At116.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 7:01:02 PM | Attr =    ]
At117.job -> %SystemRoot%\tasks\At117.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 8:01:06 PM | Attr =    ]
At118.job -> %SystemRoot%\tasks\At118.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 9:01:02 PM | Attr =    ]
At119.job -> %SystemRoot%\tasks\At119.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 10:03:02 PM | Attr =    ]
At120.job -> %SystemRoot%\tasks\At120.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/21/2007 11:03:02 PM | Attr =    ]
At97.job -> %SystemRoot%\tasks\At97.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 12:03:02 AM | Attr =    ]
At98.job -> %SystemRoot%\tasks\At98.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 1:03:02 AM | Attr =    ]
At99.job -> %SystemRoot%\tasks\At99.job ->  [Ver =  | Size = 350 bytes | Modified Date = 8/22/2007 2:03:02 AM | Attr =    ]
Norton AntiVirus - Scan my computer - Sastre.job -> %SystemRoot%\tasks\Norton AntiVirus - Scan my computer - Sastre.job ->  [Ver =  | Size = 532 bytes | Modified Date = 8/19/2007 8:00:02 PM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 8/22/2007 11:06:38 AM | Attr =  H ]
2XHEIsXv.exe -> %System32%\2XHEIsXv.exe ->  [Ver =  | Size = 26176 bytes | Modified Date = 8/21/2007 12:03:28 PM | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 8/21/2007 7:55:52 PM | Attr =    ]
config -> %System32%\config ->  [Folder | Modified Date = 8/21/2007 10:30:08 AM | Attr =    ]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 8/21/2007 10:28:14 AM | Attr =    ]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 8/17/2007 10:21:46 PM | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 8/22/2007 11:06:34 AM | Attr =    ]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 8/21/2007 10:46:20 AM | Attr =    ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 ,  -> %System32%\2XHEIsXv.exe ->  [Ver =  | Size = 26176 bytes | Modified Date = 8/21/2007 12:03:28 PM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\MACDec.dll -> Matthew T. Ashland [Ver = 3.99 | Size = 75264 bytes | Modified Date = 5/15/2004 4:10:42 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\MonkeySource.ax ->  [Ver =  | Size = 177152 bytes | Modified Date = 6/19/2004 6:28:44 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\NeroCheck.exe ->  [Ver =  | Size = 53267 bytes | Modified Date = 4/13/2007 12:49:48 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\NeroCheck.ex_ ->  [Ver =  | Size = 45075 bytes | Modified Date = 4/13/2007 12:49:48 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =    ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr =    ]

< End of report >

: Re: lsasddr.dll
: Essexboy August 24, 2007, 01:37:35 PM
They can run but they can't hide  :naughty:

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> lsasddr -> lsasddr.dll
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {D7107300-E42A-4C1C-84EB-4D783E58B88D} -> DNInstallerOCX Class - CodeBase = https://mq1webc2.speechmachines.org/Installer/InstallerOCX.cab
YN -> {D9E4E21E-60E0-11DA-91EB-00123F33E209} -> DNInstallerOCX Class - CodeBase = https://mq1webc2.speechmachines.org/Installer/DNInstaller2.cab
[Files/Folders - Created Within 30 days]
YY -> At100.job -> %SystemRoot%\tasks\At100.job
YY -> At101.job -> %SystemRoot%\tasks\At101.job
YY -> At102.job -> %SystemRoot%\tasks\At102.job
YY -> At103.job -> %SystemRoot%\tasks\At103.job
YY -> At104.job -> %SystemRoot%\tasks\At104.job
YY -> At105.job -> %SystemRoot%\tasks\At105.job
YY -> At106.job -> %SystemRoot%\tasks\At106.job
YY -> At107.job -> %SystemRoot%\tasks\At107.job
YY -> At108.job -> %SystemRoot%\tasks\At108.job
YY -> At109.job -> %SystemRoot%\tasks\At109.job
YY -> At110.job -> %SystemRoot%\tasks\At110.job
YY -> At111.job -> %SystemRoot%\tasks\At111.job
YY -> At112.job -> %SystemRoot%\tasks\At112.job
YY -> At113.job -> %SystemRoot%\tasks\At113.job
YY -> At114.job -> %SystemRoot%\tasks\At114.job
YY -> At115.job -> %SystemRoot%\tasks\At115.job
YY -> At116.job -> %SystemRoot%\tasks\At116.job
YY -> At117.job -> %SystemRoot%\tasks\At117.job
YY -> At118.job -> %SystemRoot%\tasks\At118.job
YY -> At119.job -> %SystemRoot%\tasks\At119.job
YY -> At120.job -> %SystemRoot%\tasks\At120.job
YY -> At97.job -> %SystemRoot%\tasks\At97.job
YY -> At98.job -> %SystemRoot%\tasks\At98.job
YY -> At99.job -> %SystemRoot%\tasks\At99.job
YY -> 2XHEIsXv.exe -> %System32%\2XHEIsXv.exe
[Files/Folders - Modified Within 30 days]
NY -> popcinfo.dat -> %SystemRoot%\popcinfo.dat
NY -> At100.job -> %SystemRoot%\tasks\At100.job
NY -> At101.job -> %SystemRoot%\tasks\At101.job
NY -> At102.job -> %SystemRoot%\tasks\At102.job
NY -> At103.job -> %SystemRoot%\tasks\At103.job
NY -> At104.job -> %SystemRoot%\tasks\At104.job
NY -> At105.job -> %SystemRoot%\tasks\At105.job
NY -> At106.job -> %SystemRoot%\tasks\At106.job
NY -> At107.job -> %SystemRoot%\tasks\At107.job
NY -> At108.job -> %SystemRoot%\tasks\At108.job
NY -> At109.job -> %SystemRoot%\tasks\At109.job
NY -> At110.job -> %SystemRoot%\tasks\At110.job
NY -> At111.job -> %SystemRoot%\tasks\At111.job
NY -> At112.job -> %SystemRoot%\tasks\At112.job
NY -> At113.job -> %SystemRoot%\tasks\At113.job
NY -> At114.job -> %SystemRoot%\tasks\At114.job
NY -> At115.job -> %SystemRoot%\tasks\At115.job
NY -> At116.job -> %SystemRoot%\tasks\At116.job
NY -> At117.job -> %SystemRoot%\tasks\At117.job
NY -> At118.job -> %SystemRoot%\tasks\At118.job
NY -> At119.job -> %SystemRoot%\tasks\At119.job
NY -> At120.job -> %SystemRoot%\tasks\At120.job
NY -> At97.job -> %SystemRoot%\tasks\At97.job
NY -> At98.job -> %SystemRoot%\tasks\At98.job
NY -> At99.job -> %SystemRoot%\tasks\At99.job
NY -> 2XHEIsXv.exe -> %System32%\2XHEIsXv.exe
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %System32%\2XHEIsXv.exe
[Empty Temp Folders]
[Start Explorer]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a newHijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

If I see that dll again I will use the nuclear option on it.   :tiphat:
Sorry, the copyright must be in the template.
Please notify this forum's administrator that this site is missing the copyright message for SMF so they can rectify the situation. Display of copyright is a legal requirement. For more information on this please visit the Simple Machines website.