Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked - Smitfraud And Or Vundo? Warning: Spyware Threat Has Been Detected On Your Computer


  • This topic is locked This topic is locked
11 replies to this topic

#1 JDH27

JDH27

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 12 May 2008 - 03:18 PM

Hi, regrettably one of our PCs got hijacked. My DSS logs are copied below. Any help would be much appreciated.

Other details:
The desktop is replaced with a fake warning screen with the title:
Warning: Spyware threat has been detected on your PC.
It includes a link to a site where malware removal software is offered for sale.
When IE7 is open, multiple redirects happen, and performance is spotty.

The notification toolbar frequently informs that the computer has been hijacked, or an internet attack is occuring.



Deckard's System Scanner v20071014.68
Run by JDH on 2008-05-12 12:10:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
92: 2008-05-12 19:10:47 UTC - RP894 - Deckard's System Scanner Restore Point
91: 2008-05-11 18:44:38 UTC - RP893 - Last known good configuration
90: 2008-05-11 18:44:33 UTC - RP892 - System Checkpoint
89: 2008-05-11 18:44:33 UTC - RP891 - Installed CorelDRAW Graphics Suite X3
88: 2008-05-11 18:44:33 UTC - RP890 - Removed FontNav


-- First Restore Point --
1: 2008-05-11 18:44:17 UTC - RP803 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JDH.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:28 PM, on 5/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\b2new.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\JDH\Desktop\dss.exe
C:\HJT\JDH.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {833fbce5-a995-3479-79b4-b93b1b6b2187} - {7812b6b1-b39b-4b97-9743-599a5ecbf338} - C:\WINDOWS\system32\bsjrrciw.dll
O2 - BHO: (no name) - {81D1C25D-40BE-4A3D-8B94-1C15F054F73A} - C:\WINDOWS\system32\mlJBULcB.dll
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\system32\iiffEtrO.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [78ae9680] rundll32.exe "C:\WINDOWS\system32\egfrtnwa.dll",b
O4 - HKLM\..\Run: [BM7b9da51c] Rundll32.exe "C:\WINDOWS\system32\qnnrihqs.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1415290523-2348759147-2617178162-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Isabelle')
O4 - HKUS\S-1-5-21-1415290523-2348759147-2617178162-1007\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe" (User 'Isabelle')
O4 - HKUS\S-1-5-21-1415290523-2348759147-2617178162-1007\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe" (User 'Isabelle')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: iiffEtrO - C:\WINDOWS\SYSTEM32\iiffEtrO.dll
O21 - SSODL: Zapicsap - {561AE6A8-45EA-4516-B3ED-C00F73F6D327} - C:\WINDOWS\system32\tcpogvip.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\b2new.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8932 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Intel® 537EP V9x DFV PCI Modem>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MsSecurity1.209.4 (MsSecurity Updated) - c:\windows\b2new.exe service
R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2005-04-19 15:45:58 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-12 10:49:44 0 d-------- C:\HJT
2008-05-12 09:45:49 98960 --a------ C:\WINDOWS\system32\bsjrrciw.dll
2008-05-12 09:42:49 83072 --a------ C:\WINDOWS\system32\egfrtnwa.dll
2008-05-12 09:40:50 2112 --a------ C:\WINDOWS\system32\xwabplmr.exe
2008-05-12 09:40:37 90240 --a------ C:\WINDOWS\system32\qnnrihqs.dll
2008-05-12 09:39:48 1048255 --ahs---- C:\WINDOWS\system32\BcLUBJlm.ini2
2008-05-12 09:39:33 314480 --a------ C:\WINDOWS\system32\mlJBULcB.dll
2008-05-11 13:40:49 11520 --a------ C:\WINDOWS\voiceip.dll
2008-05-11 13:40:49 22784 --a------ C:\WINDOWS\swin32.dll
2008-05-11 13:40:49 15360 --a------ C:\WINDOWS\stcloader.exe
2008-05-11 13:40:48 13056 --a------ C:\WINDOWS\mssvr.exe
2008-05-11 13:40:48 27904 --a------ C:\WINDOWS\mspphe.dll
2008-05-11 13:40:48 27136 --a------ C:\WINDOWS\cdsm32.dll
2008-05-11 13:40:48 11264 --a------ C:\WINDOWS\bokja.exe
2008-05-11 13:40:48 22272 --a------ C:\WINDOWS\bjam.dll
2008-05-11 13:40:48 30208 --a------ C:\WINDOWS\2020search2.dll
2008-05-11 13:40:47 20736 --a------ C:\WINDOWS\2020search.dll
2008-05-11 13:40:44 23552 --a------ C:\WINDOWS\saiemod.dll
2008-05-11 13:40:44 20736 --a------ C:\WINDOWS\msapasrc.dll
2008-05-11 13:40:43 24064 --a------ C:\WINDOWS\shdocpl.dll
2008-05-11 13:40:43 25088 --a------ C:\WINDOWS\shdocpe.dll
2008-05-11 13:40:43 21760 --a------ C:\WINDOWS\ntnut.exe
2008-05-11 13:40:43 8448 --a------ C:\WINDOWS\msa64chk.dll
2008-05-11 13:40:42 20224 --a------ C:\WINDOWS\winsb.dll
2008-05-11 13:40:42 23296 --a------ C:\WINDOWS\browserad.dll
2008-05-11 13:40:42 26624 --a------ C:\WINDOWS\aviwrap32.dll
2008-05-11 13:40:42 11776 --a------ C:\WINDOWS\avisynthex32.dll
2008-05-11 13:40:42 25600 --a------ C:\WINDOWS\avifile32.dll
2008-05-11 13:40:41 12800 --a------ C:\WINDOWS\autodisc32.dll
2008-05-11 13:40:41 24832 --a------ C:\WINDOWS\audiosrv32.dll
2008-05-11 13:40:41 26880 --a------ C:\WINDOWS\ati2dvag32.dll
2008-05-11 13:40:41 17408 --a------ C:\WINDOWS\ati2dvaa32.dll
2008-05-11 13:40:41 20992 --a------ C:\WINDOWS\athprxy32.dll
2008-05-11 13:40:41 29440 --a------ C:\WINDOWS\asycfilt32.dll
2008-05-11 13:40:40 24064 --a------ C:\WINDOWS\changeurl_30.dll
2008-05-11 13:40:40 12288 --a------ C:\WINDOWS\asferror32.dll
2008-05-11 13:40:40 26880 --a------ C:\WINDOWS\apphelp32.dll
2008-05-11 11:43:53 316464 -----n--- C:\WINDOWS\system32\yayxYpNE.dll
2008-05-11 11:38:56 0 d-------- C:\Program Files\QdrPack
2008-05-11 11:38:48 25728 --a------ C:\WINDOWS\system32\iiffEtrO.dll
2008-05-11 11:38:46 0 d-------- C:\Program Files\QdrModule
2008-05-11 11:38:46 0 d-------- C:\Program Files\QdrDrive
2008-05-11 11:38:46 0 d-------- C:\Program Files\ISM
2008-05-11 11:38:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-11 11:38:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-11 11:38:32 4 --a------ C:\WINDOWS\system32\winfrun32.bin
2008-05-11 11:38:32 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-11 11:38:30 91563 --a------ C:\WINDOWS\system32\wmsdkns.exe <Not Verified; Microsoft; XML Media>
2008-05-11 11:38:30 91563 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-11 11:38:27 25600 --a------ C:\WINDOWS\b2new.exe
2008-05-09 17:30:56 34832 -----n--- C:\WINDOWS\system32\000070.exe
2008-05-09 12:38:14 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Corel
2008-05-09 12:34:19 0 d-------- C:\Program Files\Corel
2008-05-09 12:34:19 0 d-------- C:\Program Files\Common Files\Corel
2008-05-09 12:34:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-09 12:28:30 0 d-------- C:\WINDOWS\Prefetch
2008-05-09 12:21:30 0 d-------- C:\WINDOWS\system32\scripting
2008-05-09 12:21:29 0 d-------- C:\WINDOWS\l2schemas
2008-05-09 12:21:28 0 d-------- C:\WINDOWS\system32\en
2008-05-09 12:21:27 0 d-------- C:\WINDOWS\system32\bits
2008-05-09 12:18:19 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-09 03:16:42 0 d--hs---- C:\found.000
2008-05-03 09:48:00 270709 --a------ C:\WINDOWS\system32\000060.exe
2008-04-22 11:08:14 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Help
2008-04-22 10:55:57 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Macromedia
2008-04-22 09:30:17 0 d--h----- C:\Documents and Settings\Isabelle\Application Data\GTek
2008-04-22 09:29:40 0 d--h----- C:\Documents and Settings\Isabelle\NetHood
2008-04-22 09:29:40 0 dr------- C:\Documents and Settings\Isabelle\My Documents
2008-04-22 09:29:40 0 d--h----- C:\Documents and Settings\Isabelle\Local Settings
2008-04-22 09:29:40 0 dr------- C:\Documents and Settings\Isabelle\Favorites
2008-04-22 09:29:40 0 d-------- C:\Documents and Settings\Isabelle\Desktop
2008-04-22 09:29:40 0 d--hs---- C:\Documents and Settings\Isabelle\Cookies
2008-04-22 09:29:40 0 dr-h----- C:\Documents and Settings\Isabelle\Application Data
2008-04-22 09:29:40 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Sun
2008-04-22 09:29:40 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Sonic
2008-04-22 09:29:40 0 d---s---- C:\Documents and Settings\Isabelle\Application Data\Microsoft
2008-04-22 09:29:40 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Jasc Software Inc
2008-04-22 09:29:40 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Identities
2008-04-22 09:29:40 0 d-------- C:\Documents and Settings\Isabelle\Application Data\Adobe
2008-04-22 09:29:39 0 d--h----- C:\Documents and Settings\Isabelle\Templates
2008-04-22 09:29:39 0 dr------- C:\Documents and Settings\Isabelle\Start Menu
2008-04-22 09:29:39 0 dr-h----- C:\Documents and Settings\Isabelle\SendTo
2008-04-22 09:29:39 0 dr-h----- C:\Documents and Settings\Isabelle\Recent
2008-04-22 09:29:39 0 d--h----- C:\Documents and Settings\Isabelle\PrintHood
2008-04-22 09:29:39 2097152 --ah----- C:\Documents and Settings\Isabelle\NTUSER.DAT
2008-04-15 09:08:57 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>


-- Find3M Report ---------------------------------------------------------------

2008-05-12 10:56:32 0 d-------- C:\Documents and Settings\JDH\Application Data\Adobe
2008-05-09 12:34:19 0 d-------- C:\Program Files\Common Files
2008-05-09 12:21:58 0 d-------- C:\Program Files\Messenger
2008-05-09 12:21:27 0 d-------- C:\Program Files\Movie Maker
2008-05-09 12:17:48 0 d-------- C:\Program Files\Windows NT
2008-04-22 10:07:19 0 d-------- C:\Program Files\Common Files\Intuit
2008-04-22 09:26:54 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-17 10:07:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-15 08:50:21 0 d-------- C:\Program Files\Google
2008-03-27 09:56:58 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7812b6b1-b39b-4b97-9743-599a5ecbf338}]
05/12/2008 09:45 AM 98960 --a------ C:\WINDOWS\system32\bsjrrciw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81D1C25D-40BE-4A3D-8B94-1C15F054F73A}]
05/12/2008 09:39 AM 314480 --a------ C:\WINDOWS\system32\mlJBULcB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8334A30C-49E5-489a-B63D-5B927C1EF46E}]
04/03/2008 01:05 PM 147456 --a------ C:\Program Files\QdrDrive\QdrDrive15.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
05/11/2008 11:38 AM 25728 --a------ C:\WINDOWS\system32\iiffEtrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/25/2004 10:52 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 06:12 PM]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [09/14/2004 06:50 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04/05/2005 07:49 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/05/2005 07:49 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 12:09 PM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [04/15/2008 09:13 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [02/16/2005 04:15 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM]
"78ae9680"="C:\WINDOWS\system32\egfrtnwa.dll" [05/12/2008 09:42 AM]
"BM7b9da51c"="C:\WINDOWS\system32\qnnrihqs.dll" [05/12/2008 09:40 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 05:12 PM]

C:\Documents and Settings\JDH\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 3:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [7/30/2003 12:52:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\iiffEtrO.dll [05/11/2008 11:38 AM 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Zapicsap"= {561AE6A8-45EA-4516-B3ED-C00F73F6D327} - C:\WINDOWS\system32\tcpogvip.dll [07/05/2006 03:55 AM 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffEtrO]
iiffEtrO.dll 05/11/2008 11:38 AM 25728 C:\WINDOWS\SYSTEM32\iiffEtrO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJBULcB

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-12 12:15:49 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 1022.07 MiB / 465.25 MiB
Pagefile Memory (total/avail): 2462.73 MiB / 2056.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1870.16 MiB

C: is Fixed (NTFS) - 145.31 GiB total, 129.71 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - Maxtor 6Y160M0 - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 145.31 GiB - C:
\PARTITION2 - Unknown - 3.65 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JDH\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MMSE1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JDH
LOGONSERVER=\\MMSE1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JDH\LOCALS~1\Temp
TMP=C:\DOCUME~1\JDH\LOCALS~1\Temp
USERDOMAIN=MMSE1
USERNAME=JDH
USERPROFILE=C:\Documents and Settings\JDH
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JDH (admin)
Isabelle (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat Elements 6.0 --> MsiExec.exe /I{E5E6E687-1033-BA7E-6000-000000000001}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CorelDRAW Graphics Suite X3 --> C:\Program Files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {7C5123A9-30A8-4C44-89CA-A8C87A1FCC91} C:\DOCUME~1\Isabelle\LOCALS~1\Temp\CGSX3.log
CorelDRAW Graphics Suite X3 --> MsiExec.exe /I{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
Dell Support Center --> MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
eMusic Download Manager --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\eMusic Download Manager\Uninst.isu"
EN --> MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
FontNav --> MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
HijackThis 2.0.2 --> "C:\HJT\HijackThis.exe" /uninstall
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
NOD32 Antivirus System --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
OTClient60 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D188794-D8DF-4393-B2AD-072D883E9864}\setup.exe" -l0x9 -removeonly
Print Server Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Print Server\PTP\Uninst.isu"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA --> MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type30455 / Warning
Event Submitted/Written: 05/09/2008 00:29:20 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type30454 / Warning
Event Submitted/Written: 05/09/2008 00:29:20 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type30451 / Warning
Event Submitted/Written: 05/09/2008 00:22:30 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type30450 / Warning
Event Submitted/Written: 05/09/2008 11:52:23 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{4192EAC0-6B36-4723-B216-D0E86E7757AC}', feature 'PaintShopPhotoAlbum' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

Event Record #/Type30449 / Warning
Event Submitted/Written: 05/09/2008 11:52:23 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{4192EAC0-6B36-4723-B216-D0E86E7757AC}', feature 'PaintShopPhotoAlbum', component '{5CC2D105-DDDD-4EC4-8B74-750194E57B99}' failed. The resource 'HKEY_CURRENT_USER\Software\InstallShield\UpdateService\' does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type50385 / Error
Event Submitted/Written: 05/12/2008 00:12:17 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type50384 / Error
Event Submitted/Written: 05/12/2008 00:12:15 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type50383 / Error
Event Submitted/Written: 05/12/2008 00:12:14 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type50382 / Error
Event Submitted/Written: 05/12/2008 00:12:12 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type50381 / Error
Event Submitted/Written: 05/12/2008 00:12:10 PM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-05-12 12:15:49 ------------

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 13 May 2008 - 12:02 PM

Hello JDH27,

regrettably one of our PCs got hijacked.



Is this a work or corportate computer?



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Eset Antivirus before running ComboFix, as it will prevent it from running.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 13 May 2008 - 12:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 JDH27

JDH27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 14 May 2008 - 12:35 PM

This is the ComboFix log:

ComboFix 08-05-12.1 - JDH 2008-05-14 10:02:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.584 [GMT -7:00]
Running from: C:\Documents and Settings\JDH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JDH\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Isabelle\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Isabelle\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Isabelle\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\SYSTEM32\000060.exe
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\SYSTEM32\awntrfge.ini
C:\WINDOWS\SYSTEM32\BcLUBJlm.ini
C:\WINDOWS\SYSTEM32\BcLUBJlm.ini2
C:\WINDOWS\SYSTEM32\bLRYxGgh.ini
C:\WINDOWS\SYSTEM32\bLRYxGgh.ini2
C:\WINDOWS\system32\bxxpckxg.dll
C:\WINDOWS\SYSTEM32\dulxubgf.ini
C:\WINDOWS\system32\fgbuxlud.dll
C:\WINDOWS\SYSTEM32\gxkcpxxb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ooanmoce.ini
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wl.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 09:28 . 2008-05-14 09:28 98,992 --a------ C:\WINDOWS\SYSTEM32\jjhnnygj.dll
2008-05-14 09:28 . 2008-05-14 09:28 90,272 --a------ C:\WINDOWS\SYSTEM32\lhxdgqjv.dll
2008-05-14 09:27 . 2008-05-14 09:27 314,448 --a------ C:\WINDOWS\SYSTEM32\hgGxYRLb.dll
2008-05-14 09:11 . 2008-05-14 09:11 90,240 --a------ C:\WINDOWS\SYSTEM32\dnsogmyd.dll
2008-05-12 14:06 . 2008-05-12 14:06 98,960 --a------ C:\WINDOWS\SYSTEM32\awpggkfu.dll
2008-05-12 14:03 . 2008-05-12 14:03 90,240 --a------ C:\WINDOWS\SYSTEM32\ccsrjskx.dll
2008-05-12 12:10 . 2008-05-12 12:10 <DIR> d-------- C:\Deckard
2008-05-12 10:49 . 2008-05-12 12:12 <DIR> d-------- C:\HJT
2008-05-12 09:45 . 2008-05-12 09:45 98,960 --a------ C:\WINDOWS\SYSTEM32\bsjrrciw.dll
2008-05-12 09:40 . 2008-05-14 10:10 109,816 --a------ C:\WINDOWS\BM7b9da51c.xml
2008-05-12 09:40 . 2008-05-12 09:40 90,240 --a------ C:\WINDOWS\SYSTEM32\qnnrihqs.dll
2008-05-12 09:39 . 2008-05-12 09:39 314,480 --a------ C:\WINDOWS\SYSTEM32\mlJBULcB.dll
2008-05-11 11:38 . 2008-05-11 14:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 11:38 . 2008-05-11 11:38 25,728 --a------ C:\WINDOWS\SYSTEM32\iiffEtrO.dll
2008-05-11 11:38 . 2008-05-11 11:38 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-11 11:38 . 2008-05-11 11:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 12:38 . 2008-05-09 12:38 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 12:18 . 2008-05-09 12:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-09 12:02 . 2004-08-03 22:29 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2008-05-09 03:16 . 2008-05-09 03:16 <DIR> d--hs---- C:\found.000
2008-04-22 09:30 . 2008-04-22 09:30 <DIR> d--h----- C:\Documents and Settings\Isabelle\Application Data\GTek
2008-04-22 09:29 . 2005-04-05 19:53 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Sonic
2008-04-22 09:29 . 2005-04-05 19:45 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Jasc Software Inc
2008-04-22 09:29 . 2008-05-12 10:35 <DIR> d-------- C:\Documents and Settings\Isabelle
2008-04-22 09:29 . 2008-05-14 10:00 1,024 --ah----- C:\Documents and Settings\Isabelle\ntuser.dat.LOG
2008-04-15 09:08 . 2008-04-15 09:13 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2008-04-15 09:08 . 2008-04-15 09:13 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2008-04-15 09:08 . 2008-04-15 09:13 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2008-04-15 09:07 . 2008-05-11 11:38 <DIR> d-------- C:\Program Files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 17:07 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 16:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-17 17:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-15 16:42 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\GTek
2008-04-15 15:50 --------- d-----w C:\Program Files\Google
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 18:38 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-13 18:34 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys
2008-04-13 18:33 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-13 18:32 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
2008-04-13 18:32 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys
2008-04-13 18:32 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-13 18:32 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys
2008-04-13 18:32 180,608 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{074913EA-DC9B-4CAD-BAF1-1F9511EF9C92}]
2008-05-14 09:27 314448 --a------ C:\WINDOWS\system32\hgGxYRLb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38364194-DB8D-4DB9-93DC-301CB9313235}]
2008-05-12 09:39 314480 --a------ C:\WINDOWS\system32\mlJBULcB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 11:38 25728 --a------ C:\WINDOWS\system32\iiffEtrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc9066df-a333-4c8e-acbb-9d7ee445fb72}]
2008-05-14 09:28 98992 --a------ C:\WINDOWS\system32\jjhnnygj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 17:12 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 06:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-05 19:49 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-05 19:49 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 09:13 949376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"BM7b9da51c"="C:\WINDOWS\system32\lhxdgqjv.dll" [2008-05-14 09:28 90272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 00:52:00 217195]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\iiffEtrO.dll [2008-05-11 11:38 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Zapicsap"= {561AE6A8-45EA-4516-B3ED-C00F73F6D327} - C:\WINDOWS\system32\tcpogvip.dll [2006-07-05 03:55 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffEtrO]
iiffEtrO.dll 2008-05-11 11:38 25728 C:\WINDOWS\SYSTEM32\iiffEtrO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S4 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2005-04-19 22:45:58 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 10:09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iiffEtrO.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lhxdgqjv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-14 10:13:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 17:12:56

Pre-Run: 139,130,724,352 bytes free
Post-Run: 139,447,468,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

327 --- E O F --- 2008-04-10 00:35:09

#4 JDH27

JDH27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 14 May 2008 - 12:39 PM

This is the ComboFix log:

ComboFix 08-05-12.1 - JDH 2008-05-14 10:02:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.584 [GMT -7:00]
Running from: C:\Documents and Settings\JDH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JDH\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Isabelle\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Isabelle\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Isabelle\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive15.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule15.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\trgts.gz
C:\WINDOWS\123messenger.per
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\SYSTEM32\000060.exe
C:\WINDOWS\SYSTEM32\000070.exe
C:\WINDOWS\SYSTEM32\awntrfge.ini
C:\WINDOWS\SYSTEM32\BcLUBJlm.ini
C:\WINDOWS\SYSTEM32\BcLUBJlm.ini2
C:\WINDOWS\SYSTEM32\bLRYxGgh.ini
C:\WINDOWS\SYSTEM32\bLRYxGgh.ini2
C:\WINDOWS\system32\bxxpckxg.dll
C:\WINDOWS\SYSTEM32\dulxubgf.ini
C:\WINDOWS\system32\fgbuxlud.dll
C:\WINDOWS\SYSTEM32\gxkcpxxb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ooanmoce.ini
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\wl.exe
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.89
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 09:28 . 2008-05-14 09:28 98,992 --a------ C:\WINDOWS\SYSTEM32\jjhnnygj.dll
2008-05-14 09:28 . 2008-05-14 09:28 90,272 --a------ C:\WINDOWS\SYSTEM32\lhxdgqjv.dll
2008-05-14 09:27 . 2008-05-14 09:27 314,448 --a------ C:\WINDOWS\SYSTEM32\hgGxYRLb.dll
2008-05-14 09:11 . 2008-05-14 09:11 90,240 --a------ C:\WINDOWS\SYSTEM32\dnsogmyd.dll
2008-05-12 14:06 . 2008-05-12 14:06 98,960 --a------ C:\WINDOWS\SYSTEM32\awpggkfu.dll
2008-05-12 14:03 . 2008-05-12 14:03 90,240 --a------ C:\WINDOWS\SYSTEM32\ccsrjskx.dll
2008-05-12 12:10 . 2008-05-12 12:10 <DIR> d-------- C:\Deckard
2008-05-12 10:49 . 2008-05-12 12:12 <DIR> d-------- C:\HJT
2008-05-12 09:45 . 2008-05-12 09:45 98,960 --a------ C:\WINDOWS\SYSTEM32\bsjrrciw.dll
2008-05-12 09:40 . 2008-05-14 10:10 109,816 --a------ C:\WINDOWS\BM7b9da51c.xml
2008-05-12 09:40 . 2008-05-12 09:40 90,240 --a------ C:\WINDOWS\SYSTEM32\qnnrihqs.dll
2008-05-12 09:39 . 2008-05-12 09:39 314,480 --a------ C:\WINDOWS\SYSTEM32\mlJBULcB.dll
2008-05-11 11:38 . 2008-05-11 14:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 11:38 . 2008-05-11 11:38 25,728 --a------ C:\WINDOWS\SYSTEM32\iiffEtrO.dll
2008-05-11 11:38 . 2008-05-11 11:38 25,600 --a------ C:\WINDOWS\b2new.exe
2008-05-11 11:38 . 2008-05-11 11:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 12:38 . 2008-05-09 12:38 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 12:18 . 2008-05-09 12:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-09 12:02 . 2004-08-03 22:29 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2008-05-09 03:16 . 2008-05-09 03:16 <DIR> d--hs---- C:\found.000
2008-04-22 09:30 . 2008-04-22 09:30 <DIR> d--h----- C:\Documents and Settings\Isabelle\Application Data\GTek
2008-04-22 09:29 . 2005-04-05 19:53 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Sonic
2008-04-22 09:29 . 2005-04-05 19:45 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Jasc Software Inc
2008-04-22 09:29 . 2008-05-12 10:35 <DIR> d-------- C:\Documents and Settings\Isabelle
2008-04-22 09:29 . 2008-05-14 10:00 1,024 --ah----- C:\Documents and Settings\Isabelle\ntuser.dat.LOG
2008-04-15 09:08 . 2008-04-15 09:13 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2008-04-15 09:08 . 2008-04-15 09:13 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2008-04-15 09:08 . 2008-04-15 09:13 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2008-04-15 09:07 . 2008-05-11 11:38 <DIR> d-------- C:\Program Files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 17:07 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 16:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-17 17:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-15 16:42 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\GTek
2008-04-15 15:50 --------- d-----w C:\Program Files\Google
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 18:38 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-13 18:34 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys
2008-04-13 18:33 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-13 18:32 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
2008-04-13 18:32 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys
2008-04-13 18:32 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-13 18:32 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys
2008-04-13 18:32 180,608 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{074913EA-DC9B-4CAD-BAF1-1F9511EF9C92}]
2008-05-14 09:27 314448 --a------ C:\WINDOWS\system32\hgGxYRLb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38364194-DB8D-4DB9-93DC-301CB9313235}]
2008-05-12 09:39 314480 --a------ C:\WINDOWS\system32\mlJBULcB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
2008-05-11 11:38 25728 --a------ C:\WINDOWS\system32\iiffEtrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc9066df-a333-4c8e-acbb-9d7ee445fb72}]
2008-05-14 09:28 98992 --a------ C:\WINDOWS\system32\jjhnnygj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 17:12 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 06:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-05 19:49 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-05 19:49 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 09:13 949376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"BM7b9da51c"="C:\WINDOWS\system32\lhxdgqjv.dll" [2008-05-14 09:28 90272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 00:52:00 217195]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"= C:\WINDOWS\system32\iiffEtrO.dll [2008-05-11 11:38 25728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Zapicsap"= {561AE6A8-45EA-4516-B3ED-C00F73F6D327} - C:\WINDOWS\system32\tcpogvip.dll [2006-07-05 03:55 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffEtrO]
iiffEtrO.dll 2008-05-11 11:38 25728 C:\WINDOWS\SYSTEM32\iiffEtrO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S4 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2005-04-19 22:45:58 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 10:09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iiffEtrO.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\lhxdgqjv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-14 10:13:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 17:12:56

Pre-Run: 139,130,724,352 bytes free
Post-Run: 139,447,468,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

327 --- E O F --- 2008-04-10 00:35:09

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 14 May 2008 - 03:08 PM

Hi JDH27,

You have quite a mess on this computer. :thumbsup:


You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\BM7b9da51c.xml

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.


****************************


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\SYSTEM32\jjhnnygj.dll
C:\WINDOWS\SYSTEM32\lhxdgqjv.dll
C:\WINDOWS\SYSTEM32\hgGxYRLb.dll
C:\WINDOWS\SYSTEM32\dnsogmyd.dll
C:\WINDOWS\SYSTEM32\awpggkfu.dll
C:\WINDOWS\SYSTEM32\ccsrjskx.dll
C:\WINDOWS\SYSTEM32\bsjrrciw.dll
C:\WINDOWS\SYSTEM32\qnnrihqs.dll
C:\WINDOWS\SYSTEM32\mlJBULcB.dll
C:\WINDOWS\SYSTEM32\iiffEtrO.dll
C:\WINDOWS\b2new.exe
C:\WINDOWS\system32\tcpogvip.dll 

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{074913EA-DC9B-4CAD-BAF1-1F9511EF9C92}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38364194-DB8D-4DB9-93DC-301CB9313235}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cc9066df-a333-4c8e-acbb-9d7ee445fb72}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM7b9da51c"=-	
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8}"=-  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Zapicsap"=-  
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiffEtrO]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt, a new HijackThis log and the Virus Total scan results.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 JDH27

JDH27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 14 May 2008 - 04:24 PM

Process is getting smoother. Requested logs are as follows in this order ComboFix / HijackThis / VirusTotal.

ComboFix 08-05-12.1 - JDH 2008-05-14 14:02:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.678 [GMT -7:00]
Running from: C:\Documents and Settings\JDH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JDH\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\b2new.exe
C:\WINDOWS\SYSTEM32\awpggkfu.dll
C:\WINDOWS\SYSTEM32\bsjrrciw.dll
C:\WINDOWS\SYSTEM32\ccsrjskx.dll
C:\WINDOWS\SYSTEM32\dnsogmyd.dll
C:\WINDOWS\SYSTEM32\hgGxYRLb.dll
C:\WINDOWS\SYSTEM32\iiffEtrO.dll
C:\WINDOWS\SYSTEM32\jjhnnygj.dll
C:\WINDOWS\SYSTEM32\lhxdgqjv.dll
C:\WINDOWS\SYSTEM32\mlJBULcB.dll
C:\WINDOWS\SYSTEM32\qnnrihqs.dll
C:\WINDOWS\system32\tcpogvip.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b2new.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\amxcmhef.dll
C:\WINDOWS\SYSTEM32\awpggkfu.dll
C:\WINDOWS\SYSTEM32\BcLUBJlm.ini
C:\WINDOWS\SYSTEM32\BcLUBJlm.ini2
C:\WINDOWS\system32\bLRYxGgh.ini
C:\WINDOWS\SYSTEM32\bLRYxGgh.ini2
C:\WINDOWS\SYSTEM32\bsjrrciw.dll
C:\WINDOWS\SYSTEM32\ccsrjskx.dll
C:\WINDOWS\SYSTEM32\dnsogmyd.dll
C:\WINDOWS\SYSTEM32\fehmcxma.ini
C:\WINDOWS\SYSTEM32\hgGxYRLb.dll
C:\WINDOWS\SYSTEM32\iiffEtrO.dll
C:\WINDOWS\SYSTEM32\jjhnnygj.dll
C:\WINDOWS\SYSTEM32\lhxdgqjv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mlJBULcB.dll
C:\WINDOWS\SYSTEM32\qnnrihqs.dll
C:\WINDOWS\system32\tcpogvip.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 10:24 . 2008-05-14 10:24 98,992 --a------ C:\WINDOWS\SYSTEM32\qtckwxfn.dll
2008-05-14 10:21 . 2008-05-14 10:21 90,272 --a------ C:\WINDOWS\SYSTEM32\vhfrxwco.dll
2008-05-12 12:10 . 2008-05-12 12:10 <DIR> d-------- C:\Deckard
2008-05-12 10:49 . 2008-05-12 12:12 <DIR> d-------- C:\HJT
2008-05-12 09:40 . 2008-05-14 10:13 109,807 --a------ C:\WINDOWS\BM7b9da51c.xml
2008-05-11 11:38 . 2008-05-11 14:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 11:38 . 2008-05-11 11:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 12:38 . 2008-05-09 12:38 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 12:18 . 2008-05-09 12:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-09 12:02 . 2004-08-03 22:29 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2008-05-09 03:16 . 2008-05-09 03:16 <DIR> d--hs---- C:\found.000
2008-04-22 09:30 . 2008-04-22 09:30 <DIR> d--h----- C:\Documents and Settings\Isabelle\Application Data\GTek
2008-04-22 09:29 . 2005-04-05 19:53 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Sonic
2008-04-22 09:29 . 2005-04-05 19:45 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Jasc Software Inc
2008-04-22 09:29 . 2008-05-12 10:35 <DIR> d-------- C:\Documents and Settings\Isabelle
2008-04-22 09:29 . 2008-05-14 10:00 1,024 --ah----- C:\Documents and Settings\Isabelle\ntuser.dat.LOG
2008-04-15 09:08 . 2008-04-15 09:13 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2008-04-15 09:08 . 2008-04-15 09:13 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2008-04-15 09:08 . 2008-04-15 09:13 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2008-04-15 09:07 . 2008-05-11 11:38 <DIR> d-------- C:\Program Files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 17:07 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 16:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-17 17:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-15 16:42 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\GTek
2008-04-15 15:50 --------- d-----w C:\Program Files\Google
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_10.12.26.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 17:08:48 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-14 21:09:26 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-04-14 00:11:56 20,398 ---ha-w C:\WINDOWS\SYSTEM32\expimusb\tcponups.dll
+ 2008-04-14 00:11:56 23,817 ---ha-w C:\WINDOWS\SYSTEM32\expimusb\tcponups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cfbd2489-d7b8-44fb-a1e7-71232f665b3e}]
2008-05-14 10:24 98992 --a------ C:\WINDOWS\system32\qtckwxfn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 17:12 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 06:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-05 19:49 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-05 19:49 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 09:13 949376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 00:52:00 217195]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S4 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2005-04-19 22:45:58 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 14:09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-14 14:12:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 21:12:15
ComboFix2.txt 2008-05-14 17:13:07

Pre-Run: 139,490,316,288 bytes free
Post-Run: 139,479,175,168 bytes free

250 --- E O F --- 2008-04-10 00:35:09


HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:48 PM, on 5/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/combofix/how-to-use-combofix
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {e3b566f2-3217-7e1a-bf44-8b7d9842dbfc} - {cfbd2489-d7b8-44fb-a1e7-71232f665b3e} - C:\WINDOWS\system32\qtckwxfn.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 6175 bytes

VIRUSTOTAL LOG:
Antivirus Version Last Update Result
AhnLab-V3 2008.5.15.0 2008.05.14 -
AntiVir 7.8.0.17 2008.05.14 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.14 -
AVG 7.5.0.516 2008.05.14 -
BitDefender 7.2 2008.05.14 -
CAT-QuickHeal 9.50 2008.05.14 -
ClamAV 0.92.1 2008.05.14 -
DrWeb 4.44.0.09170 2008.05.14 -
eSafe 7.0.15.0 2008.05.14 -
eTrust-Vet 31.4.5788 2008.05.14 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.14 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5295 2008.05.14 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3100 2008.05.14 -
Norman 5.80.02 2008.05.14 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 -
Rising 20.44.22.00 2008.05.14 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.14 -
VirusBuster 4.3.26:9 2008.05.14 -
Webwasher-Gateway 6.6.2 2008.05.14 -
Additional information
File size: 109807 bytes
MD5...: 2de989818ee457153d3302364084f7ee
SHA1..: 1cb9cb9b8f8800167ee5e3f400bd0da4b92974e5
SHA256: f96408495eeb3658f29bcf91ed443dd4bd6c10e575e9d3ddc74a35d7a6097ecd
SHA512: a5f98306c62482b8dc57d8be57594b9bf39483de3e44df51b59b160427b4d35d
bca76b13070fea73e566e3483917fde8f66804e564780e0428656490c0b34fdb
PEiD..: -
PEInfo: -

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 14 May 2008 - 04:50 PM

Hi JDH27,


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\SYSTEM32\qtckwxfn.dll
C:\WINDOWS\SYSTEM32\vhfrxwco.dll

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cfbd2489-d7b8-44fb-a1e7-71232f665b3e}]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt, a new HijackThis log and the Virus Total scan results.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 JDH27

JDH27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 14 May 2008 - 05:41 PM

ComboFix / HJT logs are as follows.
You also asked for the Virus Total Scan. I am presuming you want another copy of the previous scan so I have attached the old one.

Another error that is persistent, appearing at log-in reads:

16 bit MSDOS Subsystem
C:\Program Files\Common Files\Install Shield\Update Service\agent.exe
C:\Program~1\Symantec\S32EVNT1.Dll. An installable Virtual Device Driver failed Dll initialization. Choose 'Close' to terminate the application.

There are then choices to Close or Ignore. I switched from Symantec to ESET in the last month, and apparently some of the Symantec files remained. Further, this error began to show after installing Service Pack 3 last week.

COMBOFIX LOG:

ComboFix 08-05-12.1 - JDH 2008-05-14 15:18:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.717 [GMT -7:00]
Running from: C:\Documents and Settings\JDH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JDH\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\SYSTEM32\qtckwxfn.dll
C:\WINDOWS\SYSTEM32\vhfrxwco.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\qtckwxfn.dll
C:\WINDOWS\SYSTEM32\vhfrxwco.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 12:10 . 2008-05-12 12:10 <DIR> d-------- C:\Deckard
2008-05-12 10:49 . 2008-05-14 14:18 <DIR> d-------- C:\HJT
2008-05-12 09:40 . 2008-05-14 10:13 109,807 --a------ C:\WINDOWS\BM7b9da51c.xml
2008-05-11 11:38 . 2008-05-11 14:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 11:38 . 2008-05-11 11:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 12:38 . 2008-05-09 12:38 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-09 12:34 . 2008-05-09 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-05-09 12:21 . 2008-05-09 12:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 12:18 . 2008-05-09 12:18 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-09 12:02 . 2004-08-03 22:29 327,040 --------- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtaa.sys
2008-05-09 03:16 . 2008-05-09 03:16 <DIR> d--hs---- C:\found.000
2008-04-22 09:30 . 2008-04-22 09:30 <DIR> d--h----- C:\Documents and Settings\Isabelle\Application Data\GTek
2008-04-22 09:29 . 2005-04-05 19:53 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Sonic
2008-04-22 09:29 . 2005-04-05 19:45 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\Jasc Software Inc
2008-04-22 09:29 . 2008-05-12 10:35 <DIR> d-------- C:\Documents and Settings\Isabelle
2008-04-22 09:29 . 2008-05-14 10:00 1,024 --ah----- C:\Documents and Settings\Isabelle\ntuser.dat.LOG
2008-04-15 09:08 . 2008-04-15 09:13 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2008-04-15 09:08 . 2008-04-15 09:13 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2008-04-15 09:08 . 2008-04-15 09:13 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2008-04-15 09:07 . 2008-05-11 11:38 <DIR> d-------- C:\Program Files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 17:07 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-22 16:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 16:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-17 17:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-15 16:42 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\GTek
2008-04-15 15:50 --------- d-----w C:\Program Files\Google
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 8,576 ----a-w C:\WINDOWS\system32\drivers\i2omgmt.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:41 18,560 ----a-w C:\WINDOWS\system32\drivers\i2omp.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-14_10.12.26.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 17:08:48 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-05-14 22:21:51 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-04-14 00:11:56 20,398 ---ha-w C:\WINDOWS\SYSTEM32\expimusb\tcponups.dll
+ 2008-04-14 00:11:56 23,817 ---ha-w C:\WINDOWS\SYSTEM32\expimusb\tcponups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 17:12 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 06:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-04-05 19:49 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-05 19:49 98304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-15 09:13 949376]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 00:52:00 217195]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
S4 WUSB54GSSVC;WUSB54GSSVC;"C:\Program Files\Wireless-G USB Network Adapter\WLService.exe" "WUSB54G.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2005-04-19 22:45:58 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\OOBEBALN.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 15:22:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-14 15:24:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 22:24:41
ComboFix2.txt 2008-05-14 21:12:21
ComboFix3.txt 2008-05-14 17:13:07

Pre-Run: 139,461,640,192 bytes free
Post-Run: 139,449,892,864 bytes free

222 --- E O F --- 2008-04-10 00:35:09


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:44 PM, on 5/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/combofix/how-to-use-combofix
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 6082 bytes


VIRUS TOTAL LOG (from previous scan)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.15.0 2008.05.14 -
AntiVir 7.8.0.17 2008.05.14 -
Authentium 5.1.0.4 2008.05.14 -
Avast 4.8.1195.0 2008.05.14 -
AVG 7.5.0.516 2008.05.14 -
BitDefender 7.2 2008.05.14 -
CAT-QuickHeal 9.50 2008.05.14 -
ClamAV 0.92.1 2008.05.14 -
DrWeb 4.44.0.09170 2008.05.14 -
eSafe 7.0.15.0 2008.05.14 -
eTrust-Vet 31.4.5788 2008.05.14 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.14 -
F-Secure 6.70.13260.0 2008.05.14 -
Fortinet 3.14.0.0 2008.05.14 -
GData 2.0.7306.1023 2008.05.14 -
Ikarus T3.1.1.26.0 2008.05.14 -
Kaspersky 7.0.0.125 2008.05.14 -
McAfee 5295 2008.05.14 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3100 2008.05.14 -
Norman 5.80.02 2008.05.14 -
Panda 9.0.0.4 2008.05.14 -
Prevx1 V2 2008.05.14 -
Rising 20.44.22.00 2008.05.14 -
Sophos 4.29.0 2008.05.14 -
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.14 -
TheHacker 6.2.92.309 2008.05.13 -
VBA32 3.12.6.6 2008.05.14 -
VirusBuster 4.3.26:9 2008.05.14 -
Webwasher-Gateway 6.6.2 2008.05.14 -
Additional information
File size: 109807 bytes
MD5...: 2de989818ee457153d3302364084f7ee
SHA1..: 1cb9cb9b8f8800167ee5e3f400bd0da4b92974e5
SHA256: f96408495eeb3658f29bcf91ed443dd4bd6c10e575e9d3ddc74a35d7a6097ecd
SHA512: a5f98306c62482b8dc57d8be57594b9bf39483de3e44df51b59b160427b4d35d
bca76b13070fea73e566e3483917fde8f66804e564780e0428656490c0b34fdb
PEiD..: -
PEInfo: -

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 14 May 2008 - 06:40 PM

Hi JDH27,

Another error that is persistent, appearing at log-in reads:

16 bit MSDOS Subsystem
C:\Program Files\Common Files\Install Shield\Update Service\agent.exe
C:\Program~1\Symantec\S32EVNT1.Dll. An installable Virtual Device Driver failed Dll initialization. Choose 'Close' to terminate the application.


I think that the ComboFix causing that message. It is preventing Symantec from running and the system is telling you about it.

There are then choices to Close or Ignore. I switched from Symantec to ESET in the last month, and apparently some of the Symantec files remained. Further, this error began to show after installing Service Pack 3 last week.


We will remove all traces of Symantec. :thumbsup:
Here's a link to Norton's own removal tool, which they developed in response to complaints that the program did not uninstall completely.
It contains instructions and a download link: http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Note that you only need to perform steps one and two, since you have no interest in reinstalling the program.

After you run the tool, please confirm that the quarantine files are gone by navigating to C:\Program Files\ and checking to see if the folder Norton AntiVirus exists there. If it does, delete it. Let me know what you find and whether you manage to get rid of it.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
*******************************************


Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 14 May 2008 - 06:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 JDH27

JDH27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 15 May 2008 - 01:46 PM

SifuMike,

Wow. What an incredible process to outrun the jackals. Thanks for your help with this. We were dead in the water without your guidance. Latest HJT log is as follows. The computer seems to be running fine, and is faster as well.

JDH27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:46 AM, on 5/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 5638 bytes

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 15 May 2008 - 01:59 PM

Hi JDH27,

Thank you for the kind words. :)


Your log looks clean! :thumbsup: Good job on the cleanup!


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, Deckard, _OTMoveIt), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:14 AM

Posted 20 May 2008 - 09:13 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users