Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection?


  • This topic is locked This topic is locked
2 replies to this topic

#1 LiveAt8

LiveAt8

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 14 April 2008 - 12:00 PM

My machine has been infected with some adware. I have ran both Kapersky online scan, and the DSS.

Suspicious Files: xxyyxWOe.dll,qdnkewfa.dll,apoxqwfv.exe,mgsvflkw.dll. At this time, I am uncertain on how to proceed. Any advice would be greatly appreciated.

I have included the following Logs (in sequence): DSS logs 1. Main.txt and 2.Extra.txt and the Kapersky.txt.


Deckard's System Scanner v20071014.68
Run by mnelson on 2008-04-14 12:26:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-14 16:27:40 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as mnelson.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:14 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\jcvsdwry\dozmvsfe.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\XMediusFAX\LFclient\lfsndmng.exe
C:\Program Files\Hummingbird\DM Extensions\papihost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office97\Office\OSA.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\ETC\SOFTWARE\Deckard System Scanning\dss.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\ETC\SOFTWARE\HIJACK~1\mnelson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\xxyyxWOe.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {71896954-C29E-4EC9-9FFB-C7EF3F65FA5A} - C:\WINDOWS\system32\qoMfgffC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: DVA Media - {82B8E0B5-45F5-4779-966A-C474164F8F7F} - C:\WINDOWS\temlxopqgdk.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Hummingbird DM - {83E8BF99-F3C0-4475-B453-9F9E8E4548C3} - C:\Program Files\Hummingbird\DM Extensions\DOCSShlToolBar.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [lfsndmng] "C:\Program Files\XMediusFAX\\LFclient\lfsndmng.exe"
O4 - HKLM\..\Run: [PowerDOCSAPIHost] "C:\Program Files\Hummingbird\DM Extensions\papihost.exe"
O4 - HKLM\..\Run: [DMAutoUpdate] "C:\Program Files\Hummingbird\DM Extensions\DMAutoUpdate\AutoUpdates.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [MBBalloon] C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [68d68933] rundll32.exe "C:\WINDOWS\system32\jmlpokql.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [nwbmyncx] C:\WINDOWS\system32\bslkdidg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [olU9Rk9syp] C:\Documents and Settings\All Users\Application Data\jcvsdwry\dozmvsfe.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office97\Office\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: mp.datamaxx.com
O15 - Trusted Zone: mp.datamaxx.com (HKLM)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {44C7F862-906C-11D3-A8ED-0008C75B3588} (IEPAPI Class) - http://dmwebtop.datamaxx.com/cyberdocs/DME...ns/papibrdg.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206986681702
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208084194812
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - https://dmwebtop.datamaxx.com/cyberdocs/DME...yment/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datamaxx.corp
O17 - HKLM\Software\..\Telephony: DomainName = datamaxx.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datamaxx.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = datamaxx.corp
O18 - Protocol: PCDOCS - {EDC110E5-4CFB-4FEE-813A-BF796297030E} - C:\Program Files\Hummingbird\DM Extensions\PwDMoniker.DLL
O20 - Winlogon Notify: xxyyxWOe - C:\WINDOWS\SYSTEM32\xxyyxWOe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13997 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PzWDM - c:\windows\system32\drivers\pzwdm.sys <Not Verified; Prassi Technology; PzWDM>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 CdpPacket (Cisco Discovery Protocol Packet Driver) - c:\windows\system32\drivers\cdppacket.sys <Not Verified; Cisco Systems; Cisco IP Communicator>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Cpmt (Cisco Media Termination) - c:\windows\system32\drivers\cpmt.sys <Not Verified; Cisco Systems, Inc.; Cisco IP Communicator>

S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 11:13:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 11:13:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 11:13:32 0 d-------- C:\WINDOWS\LastGood
2008-04-14 01:11:20 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-13 17:37:21 85568 --a------ C:\WINDOWS\system32\jmlpokql.dll
2008-04-12 17:38:22 86592 -----n--- C:\WINDOWS\system32\yrwggjrr.dll
2008-04-11 18:26:35 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-04-11 18:25:35 0 d-------- C:\Program Files\Panda Security
2008-04-11 18:14:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-11 17:37:04 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-11 17:33:44 86080 --a------ C:\WINDOWS\system32\poqdfbde-JUNK.dll
2008-04-11 17:32:42 210861 --ahs---- C:\WINDOWS\system32\CffgfMoq.ini2
2008-04-11 17:32:32 273408 --a------ C:\WINDOWS\system32\qoMfgffC.dll
2008-04-11 17:30:50 0 d-------- C:\Program Files\Spyware Doctor
2008-04-11 17:30:50 0 d-------- C:\Documents and Settings\mnelson\Application Data\PC Tools
2008-04-11 17:25:08 188416 --a------ C:\WINDOWS\qdnkewfa.dll
2008-04-11 17:25:08 217088 --a------ C:\WINDOWS\mgsvflkw.dll
2008-04-11 17:25:08 94208 --a------ C:\WINDOWS\apoxqwfv.exe
2008-04-11 17:24:50 0 d-------- C:\Documents and Settings\All Users\Application Data\jcvsdwry
2008-04-11 17:24:36 39936 --a------ C:\WINDOWS\system32\xxyyxWOe.dll
2008-04-11 17:15:02 0 d-------- C:\Documents and Settings\mnelson\Application Data\123 Free Solitaire
2008-04-11 17:02:54 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-11 11:20:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-11 11:20:45 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-10 10:05:43 0 d-------- C:\techsupport
2008-04-10 10:04:48 98576 --a------ C:\WINDOWS\system32\msrpjt40.dll <Not Verified; Microsoft Corporation; Microsoft ® Jet>
2008-04-10 10:04:26 0 d-------- C:\MSSQL7
2008-04-10 10:03:49 305152 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-10 10:03:43 0 d-------- C:\Documents and Settings\lhamman\WINDOWS
2008-04-10 09:57:58 0 d-------- C:\Documents and Settings\lhamman\Application Data\VMware
2008-04-10 09:57:38 0 d-------- C:\Documents and Settings\lhamman\Application Data\AdobeUM
2008-04-10 09:57:38 0 d-------- C:\Documents and Settings\lhamman\Application Data\Adobe
2008-04-10 09:57:37 0 dr------- C:\Documents and Settings\lhamman\Favorites
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Desktop
2008-04-10 09:57:37 0 d---s---- C:\Documents and Settings\lhamman\Cookies
2008-04-10 09:57:37 0 dr-h----- C:\Documents and Settings\lhamman\Application Data
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Visio
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Sun
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Sonic
2008-04-10 09:57:37 0 d---s---- C:\Documents and Settings\lhamman\Application Data\Microsoft
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Microsoft Web Folders
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Interstar Technologies
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Intel
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Identities
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Hummingbird
2008-04-10 09:57:37 0 d-------- C:\Documents and Settings\lhamman\Application Data\Cisco
2008-04-10 09:57:36 0 d---s---- C:\Documents and Settings\lhamman\UserData
2008-04-10 09:57:36 0 d--h----- C:\Documents and Settings\lhamman\Templates
2008-04-10 09:57:36 0 d-------- C:\Documents and Settings\lhamman\temp
2008-04-10 09:57:36 0 dr------- C:\Documents and Settings\lhamman\Start Menu
2008-04-10 09:57:36 0 dr-h----- C:\Documents and Settings\lhamman\SendTo
2008-04-10 09:57:36 0 dr-h----- C:\Documents and Settings\lhamman\Recent
2008-04-10 09:57:36 0 d--h----- C:\Documents and Settings\lhamman\PrintHood
2008-04-10 09:57:36 1310720 --ah----- C:\Documents and Settings\lhamman\NTUSER.DAT
2008-04-10 09:57:36 0 d--h----- C:\Documents and Settings\lhamman\NetHood
2008-04-10 09:57:36 0 dr------- C:\Documents and Settings\lhamman\My Documents
2008-04-10 09:57:36 0 d--h----- C:\Documents and Settings\lhamman\Local Settings
2008-04-07 16:30:46 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-07 16:20:45 0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-04 14:45:01 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-04 14:44:55 0 d-------- C:\Program Files\Windows Live
2008-04-04 14:44:46 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-04 11:44:56 0 d-------- C:\Documents and Settings\mnelson\Application Data\.purple
2008-04-04 11:41:30 0 d-------- C:\Program Files\Aspell
2008-04-04 11:39:37 0 d-------- C:\Program Files\Pidgin
2008-04-04 11:39:23 0 d-------- C:\Program Files\Common Files\GTK
2008-04-02 21:21:27 0 d-------- C:\Program Files\KODAK
2008-04-02 21:19:20 15172 --a------ C:\WINDOWS\system32\drivers\PzWDM.sys <Not Verified; Prassi Technology; PzWDM>
2008-04-02 21:19:20 0 d-------- C:\Program Files\CASIO
2008-04-02 21:19:15 413696 --a------ C:\WINDOWS\system32\PICSDK.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-02 21:19:15 114688 --a------ C:\WINDOWS\system32\EpPicPrt.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-02 21:19:15 91923 --a------ C:\WINDOWS\system32\EPPICPrinterDB.dat
2008-04-02 21:19:15 27965 --a------ C:\WINDOWS\system32\EPPICPresetData_JP.dat
2008-04-02 21:19:15 76956 --a------ C:\WINDOWS\system32\EPPICPattern2.dat
2008-04-02 21:19:15 39121 --a------ C:\WINDOWS\system32\EPPICPattern1.dat
2008-04-02 21:19:15 65536 --a------ C:\WINDOWS\system32\EPPicMgr.dll <Not Verified; SEIKO EPSON CORPORATION; EPSON PIC SDK>
2008-04-02 21:18:09 0 d-------- C:\Program Files\HOTALBUMMyBOX
2008-04-01 11:04:22 0 d-------- C:\Documents and Settings\mnelson\Application Data\Google
2008-04-01 11:04:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-01 11:03:28 0 d-------- C:\Program Files\Google
2008-04-01 10:55:34 0 d-------- C:\Program Files\MSXML 6.0
2008-04-01 09:53:27 0 d-------- C:\ETC
2008-03-31 23:16:36 0 d-------- C:\Documents and Settings\mnelson\Application Data\Macromedia
2008-03-31 21:25:14 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-31 21:18:35 0 d-------- C:\DEV
2008-03-31 17:17:44 0 d-------- C:\Documents and Settings\mnelson\Application Data\VMware
2008-03-31 17:16:03 0 dr------- C:\Documents and Settings\mnelson\Favorites
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Desktop
2008-03-31 17:16:03 0 d---s---- C:\Documents and Settings\mnelson\Cookies
2008-03-31 17:16:03 0 dr-h----- C:\Documents and Settings\mnelson\Application Data
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Visio
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Sun
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Sonic
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Microsoft Web Folders
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Interstar Technologies
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Intel
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Identities
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Hummingbird
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Cisco
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\AdobeUM
2008-03-31 17:16:03 0 d-------- C:\Documents and Settings\mnelson\Application Data\Adobe
2008-03-31 17:16:02 0 d---s---- C:\Documents and Settings\mnelson\UserData
2008-03-31 17:16:02 0 d--h----- C:\Documents and Settings\mnelson\Templates
2008-03-31 17:16:02 0 d-------- C:\Documents and Settings\mnelson\temp
2008-03-31 17:16:02 0 dr------- C:\Documents and Settings\mnelson\Start Menu
2008-03-31 17:16:02 0 dr-h----- C:\Documents and Settings\mnelson\SendTo
2008-03-31 17:16:02 0 dr-h----- C:\Documents and Settings\mnelson\Recent
2008-03-31 17:16:02 0 d--h----- C:\Documents and Settings\mnelson\PrintHood
2008-03-31 17:16:02 2359296 --ah----- C:\Documents and Settings\mnelson\NTUSER.DAT
2008-03-31 17:16:02 0 d--h----- C:\Documents and Settings\mnelson\NetHood
2008-03-31 17:16:02 0 dr------- C:\Documents and Settings\mnelson\My Documents
2008-03-31 17:16:02 0 d--h----- C:\Documents and Settings\mnelson\Local Settings
2008-03-31 17:13:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-03-31 17:12:03 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-03-31 17:11:45 0 d-------- C:\Program Files\VMware
2008-03-31 17:11:45 0 d-------- C:\Program Files\Common Files\VMware
2008-03-31 16:39:20 0 d-------- C:\Intel
2008-03-31 16:38:19 0 d-------- C:\Program Files\O2Micro OZ776 SCR Driver
2008-03-31 16:34:39 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-03-31 16:34:39 0 d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-03-31 16:34:39 0 d-------- C:\Documents and Settings\Default User\Application Data\Intel
2008-03-31 16:34:39 0 d-------- C:\Documents and Settings\ataylor\Application Data\Intel
2008-03-31 16:34:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-03-31 16:34:31 21425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
2008-03-31 16:34:31 319488 --a------ C:\WINDOWS\system32\AegisI5Installer.exe <Not Verified; ; AegisInstall Application>
2008-03-31 16:34:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-03-31 16:32:16 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-03-31 16:32:15 0 d-------- C:\Program Files\Broadcom
2008-03-31 16:29:38 0 d-------- C:\WINDOWS\system32\vmm32
2008-03-31 14:49:20 0 d-------- C:\Documents and Settings\Default User\Application Data\Microsoft Web Folders
2008-03-31 14:38:24 0 d-------- C:\Program Files\MSXML 4.0
2008-03-31 13:57:11 0 d-------- C:\HUMCLogs
2008-03-31 13:56:49 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-31 13:56:49 0 d-------- C:\WINDOWS\SchCache
2008-03-31 13:56:43 0 d-------- C:\Documents and Settings\ataylor\Application Data\AdobeUM
2008-03-31 13:56:43 0 d-------- C:\Documents and Settings\ataylor\Application Data\Adobe
2008-03-31 13:56:42 0 dr------- C:\Documents and Settings\ataylor\Favorites
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Desktop
2008-03-31 13:56:42 0 d--hs---- C:\Documents and Settings\ataylor\Cookies
2008-03-31 13:56:42 0 dr-h----- C:\Documents and Settings\ataylor\Application Data
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Visio
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Sun
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Sonic
2008-03-31 13:56:42 0 d---s---- C:\Documents and Settings\ataylor\Application Data\Microsoft
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Microsoft Web Folders
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Interstar Technologies
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Identities
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Hummingbird
2008-03-31 13:56:42 0 d-------- C:\Documents and Settings\ataylor\Application Data\Cisco
2008-03-31 13:56:41 0 d--hs---- C:\Documents and Settings\ataylor\UserData
2008-03-31 13:56:41 0 d--h----- C:\Documents and Settings\ataylor\Templates
2008-03-31 13:56:41 0 d-------- C:\Documents and Settings\ataylor\temp
2008-03-31 13:56:41 0 dr------- C:\Documents and Settings\ataylor\Start Menu
2008-03-31 13:56:41 0 dr-h----- C:\Documents and Settings\ataylor\SendTo
2008-03-31 13:56:41 0 dr-h----- C:\Documents and Settings\ataylor\Recent
2008-03-31 13:56:41 0 d--h----- C:\Documents and Settings\ataylor\PrintHood
2008-03-31 13:56:41 1572864 --ah----- C:\Documents and Settings\ataylor\NTUSER.DAT
2008-03-31 13:56:41 0 d--h----- C:\Documents and Settings\ataylor\NetHood
2008-03-31 13:56:41 0 dr------- C:\Documents and Settings\ataylor\My Documents
2008-03-31 13:56:41 0 d--h----- C:\Documents and Settings\ataylor\Local Settings
2008-03-31 13:55:38 0 d--hs---- C:\WINDOWS\CSC


-- Find3M Report ---------------------------------------------------------------

2008-04-14 12:01:48 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-11 11:26:06 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-11 11:20:45 0 d-------- C:\Program Files\Common Files
2008-04-04 16:21:51 2528 --a------ C:\Documents and Settings\mnelson\Application Data\$_hpcst$.hpc
2008-04-04 16:06:59 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-02 21:19:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-31 16:33:40 0 d-------- C:\Program Files\Intel
2008-03-31 13:57:28 0 d-------- C:\Program Files\Common Files\Hummingbird


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02715E47-5A8E-495B-8F63-0D30470B8E72}]
04/11/2008 05:24 PM 39936 --a------ C:\WINDOWS\system32\xxyyxWOe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71896954-C29E-4EC9-9FFB-C7EF3F65FA5A}]
04/11/2008 05:32 PM 273408 --a------ C:\WINDOWS\system32\qoMfgffC.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82B8E0B5-45F5-4779-966A-C474164F8F7F}]
C:\WINDOWS\temlxopqgdk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [12/13/2005 05:44 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [12/13/2005 05:41 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [12/13/2005 05:45 PM]
"SigmatelSysTrayApp"="stsystra.exe" [11/16/2005 03:35 PM C:\WINDOWS\stsystra.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 09:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 07:27 PM]
"ShowLOMControl"="1 (0x1)" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [08/13/2004 01:05 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 01:01 AM]
"lfsndmng"="C:\Program Files\XMediusFAX\\LFclient\lfsndmng.exe" [09/28/2004 06:50 AM]
"PowerDOCSAPIHost"="C:\Program Files\Hummingbird\DM Extensions\papihost.exe" [12/13/2005 04:13 PM]
"DMAutoUpdate"="C:\Program Files\Hummingbird\DM Extensions\DMAutoUpdate\AutoUpdates.exe" [11/17/2005 05:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [11/10/2005 01:03 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [02/21/2007 11:19 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [02/21/2007 11:17 AM]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [05/01/2007 10:52 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [05/01/2007 10:52 PM]
"MBBalloon"="C:\Program Files\HOTALBUMMyBOX\MBBalloon.exe" [12/15/2006 11:45 AM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [05/17/2007 12:02 PM]
"68d68933"="C:\WINDOWS\system32\jmlpokql.dll" [04/13/2008 05:37 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" []
"nwbmyncx"="C:\WINDOWS\system32\bslkdidg.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\mnelson\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office97\Office\OSA.EXE [7/11/1997]
VPN Client.lnk - C:\WINDOWS\Installer\{06624881-CF7D-4F8A-86C0-5114B122E776}\Icon3E5562ED7.ico [5/17/2006 3:16:43 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"olU9Rk9syp"=C:\Documents and Settings\All Users\Application Data\jcvsdwry\dozmvsfe.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{02715E47-5A8E-495B-8F63-0D30470B8E72}"= C:\WINDOWS\system32\xxyyxWOe.dll [04/11/2008 05:24 PM 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyxWOe]
xxyyxWOe.dll 04/11/2008 05:24 PM 39936 C:\WINDOWS\system32\xxyyxWOe.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMfgffC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

*Newly Created Service* - DMADMIN
*Newly Created Service* - DMSERVER
*Newly Created Service* - FILEMON701
*Newly Created Service* - NTMSSVC
*Newly Created Service* - PROCEXP111
*Newly Created Service* - PROCMON12



-- End of Deckard's System Scanner: finished at 2008-04-14 12:32:39 ------------

===============================================================================


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 2038.11 MiB / 1388.76 MiB
Pagefile Memory (total/avail): 3931.17 MiB / 3073.68 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.05 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 54.72 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS721080G9SA00 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hummingbird\\DM Extensions\\PAPIHost.exe"="C:\\Program Files\\Hummingbird\\DM Extensions\\PAPIHost.exe:*:Enabled:PAPIHost WWW Server"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hummingbird\\DM Extensions\\PAPIHost.exe"="C:\\Program Files\\Hummingbird\\DM Extensions\\PAPIHost.exe:*:Enabled:PAPIHost WWW Server"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mnelson\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NELSONM7
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mnelson
LOGONSERVER=\\AD02-TR-VM
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\MSSQL7\BINN;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\mnelson\LOCALS~1\Temp
TMP=C:\DOCUME~1\mnelson\LOCALS~1\Temp
USERDNSDOMAIN=DATAMAXX.CORP
USERDOMAIN=CORP
USERNAME=mnelson
USERPROFILE=C:\Documents and Settings\mnelson
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ---------------------------------------------------------------

lhamman (new local, admin, net ready)
mnelson (admin)
ataylor (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Aspell English Dictionary-0.50-2 --> "C:\Program Files\Aspell\unins001.exe"
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}
Cisco IP Communicator --> MsiExec.exe /I{9676F2EF-9443-4E5F-B4CC-9096C5974798}
Cisco MeetingPlace for Outlook --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\MPOUTL.INF, DefaultUninstall.ntx86
Cisco Systems VPN Client 4.6.02.0011 --> MsiExec.exe /X{06624881-CF7D-4F8A-86C0-5114B122E776}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Dell Mobile Broadband Card Utility --> MsiExec.exe /X{DF62D775-BB7C-4AFA-9CA4-DDA1C4855F28}
Dell Resource CD --> MsiExec.exe /X{42929F0F-CE14-47AF-9FC7-FF297A603021}
Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
GNU Aspell 0.50-3 --> "C:\Program Files\Aspell\unins000.exe"
GTK+ Runtime 2.12.8 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\ETC\SOFTWARE\HiJackThis\HijackThis.exe" /uninstall
HOT ALBUM MYBOX --> C:\Program Files\HOTALBUMMyBOX\VUninst.exe /a
Hummingbird DM Extensions 5.1.0.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ED7F176-BD36-429F-9462-06A26FBA6CF1}\setup.exe" -l0x9 REMOVEALL
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Office 97, Professional Edition --> C:\Program Files\Microsoft Office\Office97\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Project 2000 --> MsiExec.exe /I{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 7.0 --> C:\WINDOWS\IsUninst.exe -fC:\MSSQL7\Uninst.isu -c"C:\MSSQL7\sqlsun.dll" -msql70.mif
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSCfg --> MsiExec.exe /I{829CD169-E692-48E8-9BDE-A3E8D8B65538}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
OZ776 SCR CardBus Windows Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48} /l1033
OZ776 SCR Driver V1.1.3.9 --> C:\Program Files\InstallShield Installation Information\{343D8DE3-AE1F-431A-830C-B66352E8CA12}\setup.exe -runfromtemp -l0x0409
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exe
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe
Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
ViewMail for Outlook --> MsiExec.exe /I{D43281E3-D934-46D3-8341-66B7B4BFC626}
VMware Workstation --> MsiExec.exe /I{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail --> MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live Photo Gallery --> MsiExec.exe /X{257E440F-781F-459B-9A68-A0872B80C1D6}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Writer --> MsiExec.exe /X{9176251A-4CC1-4DDB-B343-B487195EB397}
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
XMediusFAX 4.1.0.31 --> MsiExec.exe /I{6394DCE4-BE93-4831-BC65-7F24D2D3C03D}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1259 / Error
Event Submitted/Written: 04/14/2008 10:26:12 AM
Event ID/Source: 13 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to enroll for one IPSEC certificate (0x800706ba). The RPC server is unavailable.

Event Record #/Type1257 / Error
Event Submitted/Written: 04/14/2008 07:59:50 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type1256 / Error
Event Submitted/Written: 04/13/2008 11:59:57 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type1255 / Error
Event Submitted/Written: 04/13/2008 05:36:43 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.KillAV in File: C:\DOCUME~1\mnelson\LOCALS~1\TEMPOR~1\Content.IE5\ZCTGGO39\ZRT200~1 by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Event Record #/Type1254 / Error
Event Submitted/Written: 04/13/2008 05:36:42 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.KillAV in File: C:\Documents and Settings\mnelson\Local Settings\Temporary Internet Files\Content.IE5\ZCTGGO39\zrt20080408[1] by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2354 / Warning
Event Submitted/Written: 04/14/2008 11:06:06 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type2353 / Error
Event Submitted/Written: 04/14/2008 10:26:12 AM
Event ID/Source: 10009 / DCOM
Event Description:
DCOM was unable to communicate with the computer ad2-tr-650.datamaxx.corp using any of the configured
protocols.

Event Record #/Type2343 / Error
Event Submitted/Written: 04/14/2008 09:43:08 AM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type2342 / Warning
Event Submitted/Written: 04/14/2008 09:43:08 AM
Event ID/Source: 18 / W32Time
Event Description:
The time provider NtpClient failed to establish a trust relationship between this
computer and the datamaxx.corp domain in order to securely synchronize time.
NtpClient will try again in 15 minutes.
The error was: The trust relationship between this workstation and the primary domain failed. (0x800706FD)

Event Record #/Type2341 / Error
Event Submitted/Written: 04/14/2008 09:43:08 AM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain CORP due to the following:
%%1722.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.



-- End of Deckard's System Scanner: finished at 2008-04-14 12:32:39 ------------


===============================================================================


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 14, 2008 12:23:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 703811
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\mnelson\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 14721
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:16:28

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\apoxqwfv.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\mgsvflkw.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dva skipped
C:\WINDOWS\qdnkewfa.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xxyyxWOe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nqp skipped
C:\WINDOWS\Temp\Perflib_Perfdata_8c0.dat Object is locked skipped
C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\mnelson\LOCALS~1\Temp\fla79.tmp Object is locked skipped
C:\DOCUME~1\mnelson\LOCALS~1\Temp\fla7A.tmp Object is locked skipped
C:\DOCUME~1\mnelson\LOCALS~1\Temp\WCESLog.log Object is locked skipped

Scan process completed.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 LiveAt8

LiveAt8
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 14 April 2008 - 03:15 PM

It appears I have been able to tentatively resolve the problem. I will continue to monitor the system to see if the behavior represents itself, and I will report back, otherwise the issue has been resolved.

I have downloaded Malwarebytes Anti-Malware 1.11

Malwarebytes

The software was able to identify the suspicous file that I believed were the culprit, and it identified others and removed them all from the FS and system registry. I have validated the actions.

Below, is a copy of the log and action completed by Malwarebytes software. Regards

------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.11
Database version: 627

Scan type: Full Scan (C:\|)
Objects scanned: 84726
Time elapsed: 27 minute(s), 16 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\jcvsdwry\dozmvsfe.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\xxyyxWOe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jmlpokql.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\qoMfgffC.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yrwggjrr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyxwoe (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71896954-c29e-4ec9-9ffb-c7ef3f65fa5a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{71896954-c29e-4ec9-9ffb-c7ef3f65fa5a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\olU9Rk9syp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfgffc -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfgffc -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\xxyyxWOe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jmlpokql.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lqkoplmj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMfgffC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\CffgfMoq.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\CffgfMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrwggjrr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rrjggwry.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\jcvsdwry\dozmvsfe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\mnelson\LOCALS~1\Temp\EXPLOR~1.EXE.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\mgsvflkw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\qdnkewfa.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\apoxqwfv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#3 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 21 April 2008 - 04:27 PM

Since this issue appears to be resolved, this topic is now closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users