Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde (vundo) Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 cyanide_s_k

cyanide_s_k

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 23 April 2008 - 09:12 AM

Hello, I have recently starting having problems with the start up and performance of my laptop (for about one week). My etrust antivirus, realtime monitor gives me the following message:

" The Win32/Vundo!generic was detected in C:\WINDOWS\SYSTEM32\IIFDDDDS.DLL.
Machine: L154, User: L154\wkr.
File Status: File is cured and the machine needs to reboot to complete cure
Number of infections: 4 "

As soon as this pop up closes it re-opens in a few seconds to a minute, and the number of infections is usually 4, though sometimes it may be 3 or 6. It once gave me this message:

" The Win32/Vundo!generic was detected in C:\WINDOWS\SYSTEM32\EGYWBQYB.DLL.
Machine: L154, User: L154\wkr.
File Status: File is cured and the machine needs to reboot to complete cure
Number of infections: 4 "

I have not seen this message again though.

I have tried all the fixes that I could find and nothing has worked for me so far, not even Vundofix or Virtumondobegone. I am hoping someone here can help me. I will paste my kaspersky log, main.txt and extra.txt below. Thanks in advance.

Deckard's System Scanner v20071014.68
Run by wkr on 2008-04-23 16:34:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
100: 2008-04-23 13:34:28 UTC - RP301 - Deckard's System Scanner Restore Point
99: 2008-04-22 07:40:51 UTC - RP300 - Removed Skype™ 3.6
98: 2008-04-22 07:37:51 UTC - RP299 - Removed QuickTime
97: 2008-04-22 07:33:31 UTC - RP298 - Removed Apple Software Update
96: 2008-04-22 06:54:30 UTC - RP297 - Removed Google Toolbar for Internet Explorer


-- First Restore Point --
1: 2008-04-14 07:55:06 UTC - RP202 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-23 16:37:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CA\eTrust Antivirus\Realmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\NetWaiting\netwaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\wkr\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070306
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/webhp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070306
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F689B45-FD14-478B-A27C-5823650CA051} - (no file)
O2 - BHO: (no name) - {220E588E-A84A-45FD-B768-58566CB0B359} - (no file)
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {629A87B6-D274-4700-9ACD-30DF573F643C} - (no file)
O2 - BHO: (no name) - {75A2C886-8E36-4306-BA83-9102718FA4B2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B82F29E4-8368-4B14-9C00-5138C0D94034} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {FB27D944-F679-4223-A29B-47046FE2373D} - C:\WINDOWS\system32\iifdddDs.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [PawVcfYZMo] C:\Documents and Settings\All Users\Application Data\yronobyv\mfsngpwh.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\Software\..\Telephony: DomainName = TEIbbersonCo.MN
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: wxvault.dll
O20 - Winlogon Notify: awtqpNGW - C:\WINDOWS\system32\awtqpNGW.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe


--
End of file - 12370 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 INO_FLPY - c:\windows\system32\drivers\ino_flpy.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 7.X/6.X/4.X>
R0 PBADRV - c:\windows\system32\drivers\pbadrv.sys <Not Verified; Dell Inc; PBA Driver>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 INO_FLTR - c:\windows\system32\drivers\ino_fltr.sys <Not Verified; Computer Associates; CA eTrust Antivirus/InoculateIT version 7.X/6.X>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DSproct - c:\program files\dell support\gtaction\triggers\dsproct.sys <Not Verified; GTek Technologies Ltd.; processt>

S3 GTKCMOS - c:\windows\system32\gtkcmos.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 DataSvr2 - "c:\program files\wave systems corp\common\dataserver.exe" <Not Verified; Wave Systems Corp.; Authentication Manager>
R2 InoRPC (eTrust Antivirus RPC Server) - "c:\program files\ca\etrust antivirus\inorpc.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoRT (eTrust Antivirus Realtime Server) - "c:\program files\ca\etrust antivirus\inort.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 InoTask (eTrust Antivirus Job Server) - "c:\program files\ca\etrust antivirus\inotask.exe" <Not Verified; Computer Associates International, Inc.; eTrust Antivirus>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 tcsd_win32.exe (NTRU Hybrid TSS v2.0.25 TCS) - "c:\program files\ntru cryptosystems\ntru hybrid tss v2.0.25\bin\tcsd_win32.exe"
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-23 and 2008-04-23 -----------------------------

2008-04-23 11:17:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-22 17:17:15 0 d-------- C:\kav
2008-04-22 13:59:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 13:59:15 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-21 11:36:50 0 d-------- C:\VundoFix Backups
2008-04-21 08:28:32 0 d-------- C:\Program Files\Microsoft .NET Compact Framework 1.0 SP3
2008-04-16 12:19:32 262144 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-15 10:57:16 3648 --a------ C:\WINDOWS\system32\xbjoojvc.dll
2008-04-15 09:32:06 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-04-15 09:31:50 0 d-------- C:\Program Files\MSECACHE
2008-04-15 08:38:23 0 d-------- C:\6701463127e5bdad4b102339fad5e0f8
2008-04-15 08:15:36 0 d-------- C:\72463835189d3e2f96f529
2008-04-14 15:51:03 0 d-------- C:\temp
2008-04-14 14:57:40 0 d-------- C:\WINDOWS\pss
2008-04-14 13:23:08 0 d-------- C:\Program Files\SmartPCTools
2008-04-14 12:54:03 5505024 --a------ C:\Documents and Settings\wkr\ntuser.dat
2008-04-14 12:15:32 0 d-------- C:\Documents and Settings\wkr\Application Data\GlarySoft
2008-04-14 10:56:14 3648 --a------ C:\WINDOWS\system32\owxmakan.dll
2008-04-14 10:21:16 0 d-------- C:\Program Files\AnswerWorks 4(2).0
2008-04-14 10:12:05 0 d-------- C:\Program Files\Autodesk(2)
2008-04-14 09:27:39 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-11 12:04:39 105518 --ahs---- C:\WINDOWS\system32\sDdddfii.ini2
2008-04-11 12:04:30 273920 --a------ C:\WINDOWS\system32\iifdddDs.dll
2008-04-11 11:52:32 188416 --a------ C:\WINDOWS\qdnkewfa.dll
2008-04-11 11:52:21 94208 --a------ C:\WINDOWS\system32\ufcdyvof.exe
2008-04-11 11:52:21 0 d-------- C:\Documents and Settings\All Users\Application Data\yronobyv
2008-04-10 12:02:34 0 d-------- C:\Documents and Settings\wkr\Application Data\AdobeUM
2008-04-10 11:59:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-10 11:59:10 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-02 17:12:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PopCap


-- Find3M Report ---------------------------------------------------------------

2008-04-22 10:43:08 0 d-------- C:\Program Files\IrfanView
2008-04-22 10:41:06 0 d-------- C:\Program Files\Common Files
2008-04-22 10:36:30 0 d-------- C:\Program Files\CyberLink
2008-04-22 10:34:47 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-22 10:32:11 0 d-------- C:\Documents and Settings\wkr\Application Data\Yahoo!
2008-04-22 10:21:28 0 d-------- C:\Program Files\Yahoo!
2008-04-22 09:54:56 0 d-------- C:\Program Files\Google
2008-04-21 09:39:39 0 d-------- C:\Program Files\Java
2008-04-15 08:48:47 0 d-------- C:\Program Files\AutoCAD LT 2007
2008-04-12 10:31:22 0 d-------- C:\Documents and Settings\wkr\Application Data\U3
2008-04-10 13:41:19 0 d-------- C:\Documents and Settings\wkr\Application Data\ZoomBrowser EX
2008-04-10 11:58:36 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-12 17:34:23 0 d-------- C:\Documents and Settings\wkr\Application Data\Adobe
2008-03-11 22:17:38 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-07 22:46:46 0 d-------- C:\Documents and Settings\wkr\Application Data\LimeWire
2008-03-03 05:00:54 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-02 19:16:06 0 d-------- C:\Documents and Settings\wkr\Application Data\Skype
2008-03-02 00:56:02 0 d-------- C:\Program Files\MSN Messenger
2008-03-02 00:55:38 0 d-------- C:\Program Files\Windows Live
2008-03-02 00:55:06 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F689B45-FD14-478B-A27C-5823650CA051}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220E588E-A84A-45FD-B768-58566CB0B359}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{629A87B6-D274-4700-9ACD-30DF573F643C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75A2C886-8E36-4306-BA83-9102718FA4B2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82F29E4-8368-4B14-9C00-5138C0D94034}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB27D944-F679-4223-A29B-47046FE2373D}]
04/11/2008 12:04 PM 273920 --a------ C:\WINDOWS\system32\iifdddDs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 09:13 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [12/14/2005 01:44 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [12/14/2005 01:41 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [12/14/2005 01:45 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [10/19/2006 03:04 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/19/2006 02:58 AM]
"SigmatelSysTrayApp"="stsystra.exe" [03/25/2006 01:30 AM C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [09/08/2006 05:32 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [06/29/2006 09:13 PM]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [04/07/2004 01:14 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 05:16 AM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [12/14/2004 02:12 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [09/10/2003 11:24 AM]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [08/29/2006 06:57 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:00 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [05/25/2007 10:30 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [4/10/2008 11:58:59 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/6/2007 11:10:46 AM]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [8/25/2006 6:45:30 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [5/15/2007 11:10:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"PawVcfYZMo"=C:\Documents and Settings\All Users\Application Data\yronobyv\mfsngpwh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqpNGW]
awtqpNGW.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\iifdddDs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Startup.bat


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8325 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-23 16:38:46 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5500 @ 1.66GHz
CPU 1: Intel® Core™2 CPU T5500 @ 1.66GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 1014.05 MiB / 454.23 MiB
Pagefile Memory (total/avail): 2440.68 MiB / 2069.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.64 MiB

C: is Fixed (NTFS) - 74.47 GiB total, 54.52 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS721080G9SA00 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 54.88 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe:*:Enabled:Realmon"
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"="C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe:*:Enabled:eTrust Antivirus"
"C:\\WINDOWS\\system32\\msiexec.exe"="C:\\WINDOWS\\system32\\msiexec.exe:*:Enabled:Windows® installer"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\kav\\kav7.0\\english\\setup.exe"="C:\\kav\\kav7.0\\english\\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\wkr\Application Data
AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=L154
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\wkr
INOCULAN=C:\PROGRA~1\CA\ETRUST~1
LOGONSERVER=\\L154
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\wkr\LOCALS~1\Temp
TMP=C:\DOCUME~1\wkr\LOCALS~1\Temp
USERDOMAIN=L154
USERNAME=wkr
USERPROFILE=C:\Documents and Settings\wkr
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

wkr (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 7.0 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Broadcom Advanced Control Suite --> MsiExec.exe /X{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
CA eTrust Antivirus --> MsiExec.exe /X{99747F0D-D4F8-4877-9CA0-4AE96D963633}
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon PIXMA iP3000 --> C:\WINDOWS\system32\CNMCP61.exe "-PRINTERNAMECanon PIXMA iP3000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmi0409.dll"
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
CutePDF Writer 2.5 --> C:\WINDOWS\system32\uninscpw.exe C:\Program Files\
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Support 3.2.1 --> MsiExec.exe /X{CEE2252C-4035-4B27-8EC6-0B085DD3A413}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
EMBASSY Security Center --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEAFE1E5-076B-430A-96D9-B567792AFA88}
EMBASSY Trust Suite by Wave Systems --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe" -l0x9
ETS Launch Pad --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{DD41AC25-61B2-4FC9-90AA-672F32139AC3} /l1033
ETS Upgrade --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{72FECEA1-E87F-4192-89FA-D0FBF92885BB}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Designjet 70 series --> msiexec /x{CFBBBC08-36F1-4A3F-9777-83F1D73E3C43}
HP LaserJet 2410/2420/2430 --> C:\Program Files\Hewlett-Packard\hp LaserJet 2410 2420 2430\Installer\hpsetup.exe /x
HP LaserJet 2410/2420/2430 --> msiexec /x{02C0BC1F-E273-4FA7-BF75-46ACF9650765}
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft .NET Compact Framework 1.0 SP3 --> MsiExec.exe /I{12F7033F-3B47-4C9E-AB20-2EC556C40287}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
NTRU Hybrid TSS v2.0.25 --> MsiExec.exe /I{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}
Preboot Manager --> MsiExec.exe /I{EE2EE62C-E27D-486A-AF6D-FA4A06E67476}
Private Information Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0B0A2153-58A6-4244-B458-25EDF5FCD809} /l1033
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
Secure Update --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D1E829E9-88B8-47C6-A75E-0D40E2C09D50} /l1033
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Wizards --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4} /l1033
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins002.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SureTrak 3.0b --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SureTrak\Uninst.isu"
upekmsi --> MsiExec.exe /I{BE40EC9E-9466-4288-916D-C1D6C13F4A40}
URL Assistant --> regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
Wave Infrastructure Installer --> MsiExec.exe /I{CDD4761A-3D3F-4487-9AAF-7855A36E0D31}
Wave Support Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{07D618CD-B016-438A-ADC9-A75BD23F85CE} /l1033
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}


-- Application Event Log -------------------------------------------------------

Event Record #/Type8863 / Error
Event Submitted/Written: 04/23/2008 02:59:33 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x74706563.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type8862 / Error
Event Submitted/Written: 04/23/2008 02:36:49 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type8860 / Error
Event Submitted/Written: 04/23/2008 02:35:30 PM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script Startup.bat. The system cannot find the file specified.
.

Event Record #/Type8858 / Error
Event Submitted/Written: 04/23/2008 02:35:07 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type8854 / Error
Event Submitted/Written: 04/23/2008 02:27:48 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18131 / Warning
Event Submitted/Written: 04/23/2008 02:51:02 PM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CC5E2E31-1429-4160-894C-863212B38D30}

Host Name : L154

Primary Domain Suffix : TEIbbersonCo.MN

DNS server list :

193.230.161.3, 193.230.161.4

Sent update to server : <?>

IP Address(es) :

10.27.50.55


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:thumbsup: because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type18115 / Error
Event Submitted/Written: 04/23/2008 02:35:07 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain TEIBBERSONCO due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type18094 / Error
Event Submitted/Written: 04/23/2008 02:26:42 PM / 04/23/2008 02:26:43 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain TEIBBERSONCO due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type18087 / Warning
Event Submitted/Written: 04/23/2008 11:55:26 AM
Event ID/Source: 11165 / DnsApi
Event Description:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:


Adapter Name : {CC5E2E31-1429-4160-894C-863212B38D30}

Host Name : L154

Primary Domain Suffix : TEIbbersonCo.MN

DNS server list :

193.230.161.3, 193.230.161.4

Sent update to server : <?>

IP Address(es) :

10.27.50.55


The reason the system could not register these RRs was because the
DNS server contacted refused the update request. The reasons for this
might be (a) you are not allowed to update the specified DNS domain name,
or (:blink: because the DNS server authoritative for this name does not support
the DNS dynamic update protocol.


To register the DNS host (A) resource records using the specific DNS
domain name and IP addresses for this adapter, contact your DNS server
or network systems administrator.

Event Record #/Type18065 / Error
Event Submitted/Written: 04/23/2008 11:39:11 AM / 04/23/2008 11:39:12 AM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain TEIBBERSONCO due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.



-- End of Deckard's System Scanner: finished at 2008-04-23 16:38:46 ------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 4:30:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722921
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 95781
Number of viruses found: 14
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 01:27:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\AuthPkg.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Wave Systems Corp\AuthManager\biolsp.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\wkr\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\wkr\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\wkr\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\wkr\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\wkr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\wkr\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped
C:\Documents and Settings\wkr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\wkr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\wkr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wkr\Local Settings\Temp\cpxjsxac.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\Documents and Settings\wkr\Local Settings\Temp\nynuxses.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\Documents and Settings\wkr\Local Settings\Temp\qpokwrjk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\Documents and Settings\wkr\Local Settings\Temporary Internet Files\Content.IE5\096RGXYR\zrt20080408[1] Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\wkr\Local Settings\Temporary Internet Files\Content.IE5\0T63CH6N\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\Documents and Settings\wkr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wkr\ntuser.dat Object is locked skipped
C:\Documents and Settings\wkr\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrust Antivirus\DB\rtmaster.ntx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP267\A0023184.exe Infected: Trojan-Downloader.Win32.Zlob.kxp skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP270\A0024245.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP270\A0024250.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP272\A0025568.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP272\A0025569.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP276\A0028272.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP276\A0028274.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP291\A0034827.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP292\A0034894.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP293\A0034980.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP293\A0035023.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.okj skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP296\A0035230.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP296\A0035231.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxb skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP296\A0035239.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxe skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP296\A0035240.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxu skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP296\A0035320.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pke skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP300\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\qdnkewfa.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dwv skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iifdddDs.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\owxmakan.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xbjoojvc.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:40 AM

Posted 23 April 2008 - 09:07 PM

Hello cyanide_s_k,

Welcome to Bleeping Computer :thumbsup:

Click start > controlpanel > add/remove Programs and uninstall the following, if present :

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1


Reboot your computer.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0F689B45-FD14-478B-A27C-5823650CA051} - (no file)
O2 - BHO: (no name) - {220E588E-A84A-45FD-B768-58566CB0B359} - (no file)
O2 - BHO: (no name) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {629A87B6-D274-4700-9ACD-30DF573F643C} - (no file)
O2 - BHO: (no name) - {75A2C886-8E36-4306-BA83-9102718FA4B2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {B82F29E4-8368-4B14-9C00-5138C0D94034} - (no file)
O2 - BHO: (no name) - {FB27D944-F679-4223-A29B-47046FE2373D} - C:\WINDOWS\system32\iifdddDs.dll
O4 - HKLM\..\Policies\Explorer\Run: [PawVcfYZMo] C:\Documents and Settings\All Users\Application Data\yronobyv\mfsngpwh.exe
O20 - Winlogon Notify: awtqpNGW - C:\WINDOWS\system32\awtqpNGW.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 cyanide_s_k

cyanide_s_k
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 24 April 2008 - 06:48 AM

Hello teacup61 and thanks very much for your help, it is much appreciated.

I did the steps you suggested and I will paste the combofix and hijackthis logs below. However I should mention that upon rebooting I got the same message:

" The Win32/Vundo!generic was detected in C:\WINDOWS\SYSTEM32\IIFDDDDS.DLL.
Machine: L154, User: L154\wkr.
File Status: File is cured and the machine needs to reboot to complete cure"

I think this is because when i did the HijackThis! scan an entry came up similar to what you listed but not the exact thing. It began with 02 - BHO: (no name) - { but here the numbers were different....I am sorry I did not write them down. The end was the same as what you listed } - C:\WINDOWS\system32\iifdddDs.dll. I did not check this entry before selecting "Fix checked" and this may be the cause of the problem. I was uncertain and decided not to check it, just in case...I would prefer to ask your advice. If I run HijackThis! again, should I check that entry if faced with a similar situation? Here are the logs:


ComboFix 08-04-22.5 - wkr 2008-04-24 14:27:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446 [GMT 3:00]
Running from: C:\Documents and Settings\wkr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\qdnkewfa.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\owxmakan.dll
C:\WINDOWS\system32\sDdddfii.ini
C:\WINDOWS\system32\sDdddfii.ini2
C:\WINDOWS\system32\xbjoojvc.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 13:43 . 2008-04-24 13:58 <DIR> d-------- C:\HijackThis
2008-04-23 16:33 . 2008-04-23 16:33 <DIR> d-------- C:\Deckard
2008-04-22 17:17 . 2008-04-22 17:17 <DIR> d-------- C:\kav
2008-04-22 14:33 . 2008-04-22 16:32 1,540,884 --ahs---- C:\WINDOWS\system32\byqbwyge.ini
2008-04-22 13:59 . 2008-04-22 13:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 13:59 . 2008-04-22 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 09:16 . 2008-04-22 09:30 153 --a------ C:\WINDOWS\wininit.ini
2008-04-21 11:36 . 2008-04-21 11:36 <DIR> d-------- C:\VundoFix Backups
2008-04-21 08:28 . 2008-04-21 08:28 <DIR> d-------- C:\Program Files\Microsoft .NET Compact Framework 1.0 SP3
2008-04-17 10:59 . 2008-04-22 09:30 894 --ahs---- C:\WINDOWS\system32\towderge.ini
2008-04-16 10:58 . 2008-04-17 10:58 1,314 --ahs---- C:\WINDOWS\system32\fowowpec.ini
2008-04-16 10:57 . 2008-04-18 10:58 101,091 --a------ C:\WINDOWS\BM9716a283.xml
2008-04-15 11:00 . 2008-04-16 08:16 1,134 --ahs---- C:\WINDOWS\system32\couidrrj.ini
2008-04-15 09:32 . 2008-04-15 09:32 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-15 09:31 . 2008-04-15 09:31 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-15 08:38 . 2008-04-15 08:41 <DIR> d-------- C:\6701463127e5bdad4b102339fad5e0f8
2008-04-15 08:15 . 2008-04-15 08:15 <DIR> d-------- C:\72463835189d3e2f96f529
2008-04-14 15:51 . 2008-04-14 15:51 <DIR> d-------- C:\temp
2008-04-14 13:23 . 2008-04-14 13:23 <DIR> d-------- C:\Program Files\SmartPCTools
2008-04-14 12:15 . 2008-04-14 12:15 <DIR> d-------- C:\Documents and Settings\wkr\Application Data\GlarySoft
2008-04-14 10:58 . 2008-04-15 10:58 834 --ahs---- C:\WINDOWS\system32\juowfusp.ini
2008-04-14 10:21 . 2008-04-14 10:51 <DIR> d-------- C:\Program Files\AnswerWorks 4(2).0
2008-04-14 10:12 . 2008-04-14 10:51 <DIR> d-------- C:\Program Files\Autodesk(2)
2008-04-14 09:27 . 2008-04-14 09:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-11 12:04 . 2008-04-11 12:04 273,920 --a------ C:\WINDOWS\system32\iifdddDs.dll
2008-04-11 11:52 . 2008-04-15 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yronobyv
2008-04-11 11:52 . 2008-04-11 11:52 94,208 --a------ C:\WINDOWS\system32\ufcdyvof.exe
2008-04-10 12:02 . 2008-04-10 12:02 <DIR> d-------- C:\Documents and Settings\wkr\Application Data\AdobeUM
2008-04-10 11:59 . 2008-04-10 11:59 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-10 11:59 . 2008-04-10 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-02 17:12 . 2008-04-02 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 06:34 --------- d-----w C:\Program Files\Java
2008-04-22 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 09:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 07:43 --------- d-----w C:\Program Files\IrfanView
2008-04-22 07:36 --------- d-----w C:\Program Files\CyberLink
2008-04-22 07:34 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-22 07:32 --------- d-----w C:\Documents and Settings\wkr\Application Data\Yahoo!
2008-04-22 07:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 07:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-22 06:54 --------- d-----w C:\Program Files\Google
2008-04-15 05:48 --------- d-----w C:\Program Files\AutoCAD LT 2007
2008-04-15 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-12 07:31 --------- d-----w C:\Documents and Settings\wkr\Application Data\U3
2008-04-10 10:41 --------- d-----w C:\Documents and Settings\wkr\Application Data\ZoomBrowser EX
2008-04-10 08:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 19:17 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-07 19:46 --------- d-----w C:\Documents and Settings\wkr\Application Data\LimeWire
2008-03-03 02:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-02 16:16 --------- d-----w C:\Documents and Settings\wkr\Application Data\Skype
2008-03-01 21:56 --------- d-----w C:\Program Files\MSN Messenger
2008-03-01 21:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 21:55 --------- d-----w C:\Program Files\Windows Live
2008-03-01 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB7F708-0312-4778-A2C0-436783B5E542}]
2008-04-11 12:04 273920 --a------ C:\WINDOWS\system32\iifdddDs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 11:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-29 06:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 10:30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 21:13 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 01:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 01:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 01:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 03:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-19 02:58 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 17:32 102400]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 21:13 1032192]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-07 01:14 504080]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 05:16 39792]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-10 11:58:59 25214]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-03-06 11:10:46 24576]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 18:45:30 192512]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-05-15 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Startup.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\kav\\kav7.0\\english\\setup.exe"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-10 00:35]
S3 GTKCMOS;GTKCMOS;C:\WINDOWS\system32\GTKCMOS.sys [2004-06-15 22:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 14:35:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-24 14:42:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 11:41:57

Pre-Run: 58,085,556,224 bytes free
Post-Run: 57,974,427,648 bytes free

165 --- E O F --- 2008-04-15 07:28:36


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:11 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070306
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CB7F708-0312-4778-A2C0-436783B5E542} - C:\WINDOWS\system32\iifdddDs.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\Software\..\Telephony: DomainName = TEIbbersonCo.MN
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9949 bytes

Thanks and have a nice day,
cyanide

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:40 AM

Posted 24 April 2008 - 12:11 PM

Hello,

You're welcome. :blink:

Don't worry about the messages. This should take care of them. :thumbsup:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\byqbwyge.ini
C:\WINDOWS\system32\towderge.ini
C:\WINDOWS\system32\fowowpec.ini
C:\WINDOWS\BM9716a283.xml
C:\WINDOWS\system32\couidrrj.ini
C:\WINDOWS\system32\juowfusp.ini
C:\WINDOWS\system32\iifdddDs.dll

Folder::
C:\6701463127e5bdad4b102339fad5e0f8
C:\72463835189d3e2f96f529

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CB7F708-0312-4778-A2C0-436783B5E542}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now? :wacko:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 cyanide_s_k

cyanide_s_k
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 24 April 2008 - 01:46 PM

Hello teacup61, and thanks again. I did as you said and so far I think it worked like a dream. I have no more pop ups and my computer is much faster. I will post the combofix and hijackthis logs below. I have another question though...if my laptop is indeed cured, can i go ahead and uninstall the programs we used (dss.exe, hijackthis, atf cleaner and combofix) to perform the cure? Here are the logs:

ComboFix 08-04-22.5 - wkr 2008-04-24 21:20:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.520 [GMT 3:00]
Running from: C:\Documents and Settings\wkr\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\wkr\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM9716a283.xml
C:\WINDOWS\system32\byqbwyge.ini
C:\WINDOWS\system32\couidrrj.ini
C:\WINDOWS\system32\fowowpec.ini
C:\WINDOWS\system32\iifdddDs.dll
C:\WINDOWS\system32\juowfusp.ini
C:\WINDOWS\system32\towderge.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6701463127e5bdad4b102339fad5e0f8
C:\6701463127e5bdad4b102339fad5e0f8\BaseLine.DAT
C:\6701463127e5bdad4b102339fad5e0f8\DefFactory.DAT
C:\6701463127e5bdad4b102339fad5e0f8\DeleteTemp.exe
C:\6701463127e5bdad4b102339fad5e0f8\dlmgr.dll
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1025.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1028.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1029.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1030.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1031.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1032.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1033.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1035.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1036.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1037.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1038.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1040.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1041.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1042.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1043.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1044.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1045.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1046.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1049.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1053.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.1055.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.2052.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.2070.RTF
C:\6701463127e5bdad4b102339fad5e0f8\EULA.3082.RTF
C:\6701463127e5bdad4b102339fad5e0f8\GenComp.dll
C:\6701463127e5bdad4b102339fad5e0f8\HtmlLite.dll
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1025.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1028.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1029.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1030.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1031.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1032.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1035.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1036.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1037.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1038.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1040.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1041.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1042.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1043.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1044.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1045.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1046.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1049.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1053.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.1055.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.2052.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.2070.ini
C:\6701463127e5bdad4b102339fad5e0f8\locdata.3082.ini
C:\6701463127e5bdad4b102339fad5e0f8\LocData.INI
C:\6701463127e5bdad4b102339fad5e0f8\logo.bmp
C:\6701463127e5bdad4b102339fad5e0f8\Setup.EXE
C:\6701463127e5bdad4b102339fad5e0f8\Setup.SDB
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1025.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1028.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1029.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1030.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1031.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1032.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1035.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1036.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1037.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1038.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1040.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1041.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1042.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1043.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1044.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1045.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1046.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1049.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1053.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.1055.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.2052.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.2070.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.3082.dll
C:\6701463127e5bdad4b102339fad5e0f8\setupres.dll
C:\6701463127e5bdad4b102339fad5e0f8\SitSetup.DLL
C:\6701463127e5bdad4b102339fad5e0f8\VS_Setup.dll
C:\6701463127e5bdad4b102339fad5e0f8\vs_setup.msi
C:\6701463127e5bdad4b102339fad5e0f8\VS_Setup.PDI
C:\6701463127e5bdad4b102339fad5e0f8\VS70UIMgr.dll
C:\6701463127e5bdad4b102339fad5e0f8\VSBaseReqs.dll
C:\6701463127e5bdad4b102339fad5e0f8\VSScenario.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1025.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1028.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1029.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1030.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1031.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1032.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1035.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1036.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1037.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1038.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1040.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1041.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1042.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1043.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1044.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1045.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1046.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1049.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1053.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.1055.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.2052.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.2070.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.3082.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapRes.dll
C:\6701463127e5bdad4b102339fad5e0f8\WapUI.dll
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\ASPNET.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\clr.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\crt.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\dw.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\NetFX_CA.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\NetFX_Core.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\NetFX_Other.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\Netfx20a_x86.msi
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\prexp.msp
C:\6701463127e5bdad4b102339fad5e0f8\wcu\dotNetFramework\dotNetFX20\winforms.msp
C:\72463835189d3e2f96f529
C:\72463835189d3e2f96f529\DeleteTemp.exe
C:\72463835189d3e2f96f529\dlmgr.dll
C:\72463835189d3e2f96f529\GenComp.dll
C:\72463835189d3e2f96f529\HtmlLite.dll
C:\72463835189d3e2f96f529\locdata.1025.ini
C:\72463835189d3e2f96f529\locdata.1028.ini
C:\72463835189d3e2f96f529\locdata.1029.ini
C:\72463835189d3e2f96f529\locdata.1030.ini
C:\72463835189d3e2f96f529\locdata.1031.ini
C:\72463835189d3e2f96f529\locdata.1032.ini
C:\72463835189d3e2f96f529\locdata.1035.ini
C:\72463835189d3e2f96f529\locdata.1036.ini
C:\72463835189d3e2f96f529\locdata.1037.ini
C:\72463835189d3e2f96f529\locdata.1038.ini
C:\72463835189d3e2f96f529\locdata.1040.ini
C:\72463835189d3e2f96f529\locdata.1041.ini
C:\72463835189d3e2f96f529\locdata.1042.ini
C:\72463835189d3e2f96f529\locdata.1043.ini
C:\72463835189d3e2f96f529\locdata.1044.ini
C:\72463835189d3e2f96f529\locdata.1045.ini
C:\72463835189d3e2f96f529\locdata.1046.ini
C:\72463835189d3e2f96f529\locdata.1049.ini
C:\72463835189d3e2f96f529\locdata.1053.ini
C:\72463835189d3e2f96f529\locdata.1055.ini
C:\72463835189d3e2f96f529\locdata.2052.ini
C:\72463835189d3e2f96f529\locdata.2070.ini
C:\72463835189d3e2f96f529\locdata.3082.ini
C:\72463835189d3e2f96f529\LocData.INI
C:\72463835189d3e2f96f529\Setup.EXE
C:\72463835189d3e2f96f529\Setup.SDB
C:\72463835189d3e2f96f529\setupres.1025.dll
C:\72463835189d3e2f96f529\setupres.1028.dll
C:\72463835189d3e2f96f529\setupres.1029.dll
C:\72463835189d3e2f96f529\setupres.1030.dll
C:\72463835189d3e2f96f529\setupres.1031.dll
C:\72463835189d3e2f96f529\setupres.1032.dll
C:\72463835189d3e2f96f529\setupres.1035.dll
C:\72463835189d3e2f96f529\setupres.1036.dll
C:\72463835189d3e2f96f529\setupres.1037.dll
C:\72463835189d3e2f96f529\setupres.1038.dll
C:\72463835189d3e2f96f529\setupres.1040.dll
C:\72463835189d3e2f96f529\setupres.1041.dll
C:\72463835189d3e2f96f529\setupres.1042.dll
C:\72463835189d3e2f96f529\setupres.1043.dll
C:\72463835189d3e2f96f529\setupres.1044.dll
C:\72463835189d3e2f96f529\setupres.1045.dll
C:\72463835189d3e2f96f529\setupres.1046.dll
C:\72463835189d3e2f96f529\setupres.1049.dll
C:\72463835189d3e2f96f529\setupres.1053.dll
C:\72463835189d3e2f96f529\setupres.1055.dll
C:\72463835189d3e2f96f529\setupres.2052.dll
C:\72463835189d3e2f96f529\setupres.2070.dll
C:\72463835189d3e2f96f529\setupres.3082.dll
C:\72463835189d3e2f96f529\setupres.dll
C:\72463835189d3e2f96f529\SitSetup.DLL
C:\72463835189d3e2f96f529\VS_Setup.dll
C:\72463835189d3e2f96f529\vs_setup.msi
C:\72463835189d3e2f96f529\VS_Setup.PDI
C:\72463835189d3e2f96f529\VS70UIMgr.dll
C:\72463835189d3e2f96f529\VSBaseReqs.dll
C:\72463835189d3e2f96f529\VSScenario.dll
C:\72463835189d3e2f96f529\WapRes.1025.dll
C:\72463835189d3e2f96f529\WapRes.1028.dll
C:\72463835189d3e2f96f529\WapRes.1029.dll
C:\72463835189d3e2f96f529\WapRes.1030.dll
C:\72463835189d3e2f96f529\WapRes.1031.dll
C:\72463835189d3e2f96f529\WapRes.1032.dll
C:\72463835189d3e2f96f529\WapRes.1035.dll
C:\72463835189d3e2f96f529\WapRes.1036.dll
C:\72463835189d3e2f96f529\WapRes.1037.dll
C:\72463835189d3e2f96f529\WapRes.1038.dll
C:\72463835189d3e2f96f529\WapRes.1040.dll
C:\72463835189d3e2f96f529\WapRes.1041.dll
C:\72463835189d3e2f96f529\WapRes.1042.dll
C:\72463835189d3e2f96f529\WapRes.1043.dll
C:\72463835189d3e2f96f529\WapRes.1044.dll
C:\72463835189d3e2f96f529\WapRes.1045.dll
C:\72463835189d3e2f96f529\WapRes.1046.dll
C:\72463835189d3e2f96f529\WapRes.1049.dll
C:\72463835189d3e2f96f529\WapRes.1053.dll
C:\72463835189d3e2f96f529\WapRes.1055.dll
C:\72463835189d3e2f96f529\WapRes.2052.dll
C:\72463835189d3e2f96f529\WapRes.2070.dll
C:\72463835189d3e2f96f529\WapRes.3082.dll
C:\72463835189d3e2f96f529\WapRes.dll
C:\72463835189d3e2f96f529\WapUI.dll
C:\72463835189d3e2f96f529\wcu\dotNetFramework\dotNetFX20\Netfx20a_x86.msi
C:\WINDOWS\BM9716a283.xml
C:\WINDOWS\system32\byqbwyge.ini
C:\WINDOWS\system32\couidrrj.ini
C:\WINDOWS\system32\fowowpec.ini
C:\WINDOWS\system32\juowfusp.ini
C:\WINDOWS\system32\towderge.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 13:43 . 2008-04-24 14:42 <DIR> d-------- C:\HijackThis
2008-04-23 16:33 . 2008-04-23 16:33 <DIR> d-------- C:\Deckard
2008-04-22 17:17 . 2008-04-22 17:17 <DIR> d-------- C:\kav
2008-04-22 13:59 . 2008-04-22 13:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-22 13:59 . 2008-04-22 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-22 09:16 . 2008-04-22 09:30 153 --a------ C:\WINDOWS\wininit.ini
2008-04-21 11:36 . 2008-04-21 11:36 <DIR> d-------- C:\VundoFix Backups
2008-04-21 08:28 . 2008-04-21 08:28 <DIR> d-------- C:\Program Files\Microsoft .NET Compact Framework 1.0 SP3
2008-04-15 09:32 . 2008-04-15 09:32 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-04-15 09:31 . 2008-04-15 09:31 <DIR> d-------- C:\Program Files\MSECACHE
2008-04-14 15:51 . 2008-04-14 15:51 <DIR> d-------- C:\temp
2008-04-14 13:23 . 2008-04-14 13:23 <DIR> d-------- C:\Program Files\SmartPCTools
2008-04-14 12:15 . 2008-04-14 12:15 <DIR> d-------- C:\Documents and Settings\wkr\Application Data\GlarySoft
2008-04-14 10:21 . 2008-04-14 10:51 <DIR> d-------- C:\Program Files\AnswerWorks 4(2).0
2008-04-14 10:12 . 2008-04-14 10:51 <DIR> d-------- C:\Program Files\Autodesk(2)
2008-04-14 09:27 . 2008-04-14 09:28 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-11 11:52 . 2008-04-15 08:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yronobyv
2008-04-11 11:52 . 2008-04-11 11:52 94,208 --a------ C:\WINDOWS\system32\ufcdyvof.exe
2008-04-10 12:02 . 2008-04-10 12:02 <DIR> d-------- C:\Documents and Settings\wkr\Application Data\AdobeUM
2008-04-10 11:59 . 2008-04-10 11:59 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-10 11:59 . 2008-04-10 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-02 17:12 . 2008-04-02 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 06:34 --------- d-----w C:\Program Files\Java
2008-04-22 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-22 09:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-22 07:43 --------- d-----w C:\Program Files\IrfanView
2008-04-22 07:36 --------- d-----w C:\Program Files\CyberLink
2008-04-22 07:34 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-22 07:32 --------- d-----w C:\Documents and Settings\wkr\Application Data\Yahoo!
2008-04-22 07:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-22 07:21 --------- d-----w C:\Program Files\Yahoo!
2008-04-22 06:54 --------- d-----w C:\Program Files\Google
2008-04-15 05:48 --------- d-----w C:\Program Files\AutoCAD LT 2007
2008-04-15 05:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-12 07:31 --------- d-----w C:\Documents and Settings\wkr\Application Data\U3
2008-04-10 10:41 --------- d-----w C:\Documents and Settings\wkr\Application Data\ZoomBrowser EX
2008-04-10 08:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-11 19:17 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-07 19:46 --------- d-----w C:\Documents and Settings\wkr\Application Data\LimeWire
2008-03-03 02:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-02 16:16 --------- d-----w C:\Documents and Settings\wkr\Application Data\Skype
2008-03-01 21:56 --------- d-----w C:\Program Files\MSN Messenger
2008-03-01 21:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-01 21:55 --------- d-----w C:\Program Files\Windows Live
2008-03-01 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_14.41.35.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 11:33:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 18:24:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 11:24 20480]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-29 06:57 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 10:30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 21:13 176128]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-14 01:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-14 01:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-14 01:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-19 03:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-19 02:58 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 01:30 282624 C:\WINDOWS\stsystra.exe]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 17:32 102400]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-06-29 21:13 1032192]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-07 01:14 504080]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 05:16 39792]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-10 11:58:59 25214]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-03-06 11:10:46 24576]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-08-25 18:45:30 192512]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-05-15 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Startup.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"C:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\WINDOWS\\system32\\msiexec.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\kav\\kav7.0\\english\\setup.exe"=

R0 PBADRV;PBADRV;C:\WINDOWS\system32\drivers\pbadrv.sys [2005-12-10 00:35]
S3 GTKCMOS;GTKCMOS;C:\WINDOWS\system32\GTKCMOS.sys [2004-06-15 22:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaddb328-6030-11dc-a497-00188bbdf9f3}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 21:26:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-04-24 21:32:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 18:32:46
ComboFix2.txt 2008-04-24 11:42:08

Pre-Run: 58,071,363,584 bytes free
Post-Run: 58,027,438,080 bytes free

380 --- E O F --- 2008-04-15 07:28:36

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:24 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070306
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\Software\..\Telephony: DomainName = TEIbbersonCo.MN
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = TEIbbersonCo.MN
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9819 bytes

Please let me know if it looks okay now.

Regards,
cyanide

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:40 AM

Posted 24 April 2008 - 02:35 PM

Hello,

You're most welcome. :blink:

Is eTrust behaving like it should now?

That looks really good now. :thumbsup:

if my laptop is indeed cured, can i go ahead and uninstall the programs we used (dss.exe, hijackthis, atf cleaner and combofix) to perform the cure?

Yes, please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. You can keep ATF Cleaner if you like it. I use it all the time on my own system. :wacko:

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 cyanide_s_k

cyanide_s_k
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:40 AM

Posted 24 April 2008 - 02:51 PM

Thanks teacup61, you've been a huge help. I will definitely take a look at these programs and get them running on my system. Have a great day!

Regards,
cyanide

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:40 AM

Posted 24 April 2008 - 02:55 PM

You're welcome. Posted Image
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:40 AM

Posted 26 April 2008 - 02:21 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users