Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Doubleclick Virus Popups


  • This topic is locked This topic is locked
16 replies to this topic

#1 Perrin76

Perrin76

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 17 May 2008 - 02:13 AM

Hello,
I'm new to this, and could really use some help. I've tried everything i can think of ( :thumbsup: which isn't much :) ) to get rid of these pop-ups. I only have the basic spy-ware S&D, AD-Ware, and Virus Scan on demand programs. Any recommendations on better protection would be very much apprechated. So thanks in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:21 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...TB&M=M465-E
O2 - BHO: (no name) - {01E3F152-DD57-4D22-8C27-5937C726C913} - C:\WINDOWS\system32\jkkJyYqr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {937f1f97-fdb2-9789-48d4-c66c81008a6b} - {b6a80018-c66c-4d84-9879-2bdf79f1f739} - C:\WINDOWS\system32\uahklaqt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [309745b5] rundll32.exe "C:\WINDOWS\system32\wolhkprh.dll",b
O4 - HKLM\..\Run: [BM33a47629] Rundll32.exe "C:\WINDOWS\system32\qctfljog.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O20 - Winlogon Notify: iifcCuSL - iifcCuSL.dll (file missing)
O20 - Winlogon Notify: vtuvurq - vtuvurq.dll (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8833 bytes

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 55%
Physical Memory (total/avail): 501.98 MiB / 224.6 MiB
Pagefile Memory (total/avail): 1225.07 MiB / 727.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935 MiB

C: is Fixed (NTFS) - 55.88 GiB total, 18.07 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2060BH - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"="C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"="C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat:*:Enabled:game"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\STUDENT\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MOUNT-BE966051A
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\STUDENT
LOGONSERVER=\\MOUNT-BE966051A
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\STUDENT\LOCALS~1\Temp
TMP=C:\DOCUME~1\STUDENT\LOCALS~1\Temp
USERDOMAIN=MOUNT-BE966051A
USERNAME=STUDENT
USERPROFILE=C:\Documents and Settings\STUDENT
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

STUDENT (admin)
Nicole


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Azureus 3.0 --> C:\Program Files\Azureus\uninstall.exe
CD Audio Reader Filter (remove only) --> "C:\Program Files\CD Audio Reader Filter\uninstall.exe"
DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DS-MP3 Source 1.30 --> "C:\Program Files\DS-MP3 Source\Uninstall.exe"
DScaler 5 Mpeg Decoders --> "C:\Program Files\DScaler5\unins000.exe"
ffdshow [rev 1058+] [2007-03-22] --> "C:\Program Files\ffdshow\unins000.exe"
Guild Wars --> "C:\Program Files\Guild Wars\Gw.exe" -uninstall
Haali Media Splitter --> "C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\STUDENT\Desktop\hijackthis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
MetaFrame Presentation Server Web Client for Win32 --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Motorola SM56 Data Fax Modem --> rundll32.exe sm56co.dll,SM56UnInstaller
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\STUDENT\Application Data\Move Networks\ie_bin\Uninst.exe
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\STUDENT\Application Data\Move Networks\ie_bin\unins000.exe"
Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Novell iPrint Client v04.16.00 --> C:\WINDOWS\system32\iprint\setupipp.exe /uninstall
OpenSource Flash Video Splitter (remove only) --> "C:\Program Files\OpenSource Flash Video Splitter\uninstall.exe"
Progeny's Timeline Maker 2.1 Demo --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Timeline Maker 2.1 Demo\Uninst.isu"
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RealMedia (remove only) --> "C:\Program Files\RealMedia\uninstall.exe"
Rightonadz Browser Optimizer --> C:\WINDOWS\system32\gzmrot-uninst.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) -->
SHOUTcast Source (remove only) --> "C:\Program Files\SHOUTcast Source\uninstall.exe"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B6CF9EB-CB2B-4A1A-81A9-BE1A9044690A} /l1033
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinPhlash --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Phoenix Technologies Ltd\WinPhlash\Uninst.isu"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Xfire (remove only) --> "C:\Program Files\Xfire\uninst.exe"
Zoom Player (remove only) --> "C:\Program Files\Zoom Player\uninstall.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6062 / Warning
Event Submitted/Written: 05/17/2008 02:50:44 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from MOUNT-BE966051A IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6061 / Warning
Event Submitted/Written: 05/17/2008 02:50:44 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from MOUNT-BE966051A IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6060 / Warning
Event Submitted/Written: 05/17/2008 02:50:44 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from MOUNT-BE966051A IP 127.0.0.1 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6057 / Error
Event Submitted/Written: 05/16/2008 11:41:50 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The update failed; see event log.(from MOUNT-BE966051A IP 127.0.0.1 user SYSTEM running VirusScan Ent. 8.0.0 UPD)

Event Record #/Type6050 / Warning
Event Submitted/Written: 05/16/2008 01:34:12 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type767 / Warning
Event Submitted/Written: 05/17/2008 00:46:24 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%MOUNT-BE966051A27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MOUNT-BE966051A27 can't undo changes that you allow.

For more information please see the following:
%MOUNT-BE966051A275

Scan ID: {166AD397-2250-487D-81E1-73F246A23978}

User: MOUNT-BE966051A\STUDENT

Name: %MOUNT-BE966051A271

ID: %MOUNT-BE966051A272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MOUNT-BE966051A276

Alert Type: %MOUNT-BE966051A278

Detection Type: 1.1.1593.02

Event Record #/Type760 / Error
Event Submitted/Written: 05/16/2008 11:39:39 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type759 / Error
Event Submitted/Written: 05/16/2008 11:39:01 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type757 / Warning
Event Submitted/Written: 05/16/2008 11:38:52 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MOUNT-BE966051A27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MOUNT-BE966051A27 can't undo changes that you allow.

For more information please see the following:
%MOUNT-BE966051A275

Scan ID: {C759162B-7407-4152-BB6B-1A12F3E4AC67}

User: MOUNT-BE966051A\STUDENT

Name: %MOUNT-BE966051A271

ID: %MOUNT-BE966051A272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MOUNT-BE966051A276

Alert Type: %MOUNT-BE966051A278

Detection Type: 1.1.1593.02

Event Record #/Type729 / Error
Event Submitted/Written: 05/16/2008 11:35:51 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-05-17 02:51:01 ------------



Saturday, May 17, 2008 2:35:29 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/05/2008
Kaspersky Anti-Virus database records: 780219


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 69403
Number of viruses found 2
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 01:12:27

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02022007-095333.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080516_Time-233643593_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080516_Time-233643593_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_MOUNT-BE966051A.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_MOUNT-BE966051A.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\STUDENT\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{7966BF4B-6B6B-4DAE-A790-31099BCEFB93} Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\History\History.IE5\MSHist012008051720080518\index.dat Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\Temp\~DF37DD.tmp Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\Temp\~DFD9E5.tmp Object is locked skipped

C:\Documents and Settings\STUDENT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\STUDENT\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\STUDENT\ntuser.dat.LOG Object is locked skipped

C:\junk\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped

C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458\A0495683.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458\A0495683.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458\A0495684.exe Infected: Trojan-Downloader.Win32.Homles.bn skipped

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP461\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.


I think that's all the scans that was asked for. Thanks again!!

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 17 May 2008 - 07:24 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

You are running an older version of Java. This can be a security risk so let's get you the latest version.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Please post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 18 May 2008 - 10:42 PM

Sam,
Thank you so much for your help. I deleted the old java files, rebooted, and installed the jre-6u6-windows-i586-p.exe. Here is the Dss reports.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:41 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...TB&M=M465-E
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {396498c9-7bca-b7ba-2844-4517761395cd} - {dc593167-7154-4482-ab7b-acb79c894693} - C:\WINDOWS\system32\toabbbeq.dll
O2 - BHO: (no name) - {DFD546EA-E0B0-493B-8B75-E0C9F70D17D7} - C:\WINDOWS\system32\jkkJyYqr.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [309745b5] rundll32.exe "C:\WINDOWS\system32\noxlupra.dll",b
O4 - HKLM\..\Run: [BM33a47629] Rundll32.exe "C:\WINDOWS\system32\oqifagfs.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O20 - Winlogon Notify: iifcCuSL - iifcCuSL.dll (file missing)
O20 - Winlogon Notify: vtuvurq - vtuvurq.dll (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8631 bytes

Deckard's System Scanner v20071014.68
Run by STUDENT on 2008-05-18 23:37:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 502 MiB (512 MiB recommended).


-- HijackThis (run as STUDENT.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:41 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...TB&M=M465-E
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {396498c9-7bca-b7ba-2844-4517761395cd} - {dc593167-7154-4482-ab7b-acb79c894693} - C:\WINDOWS\system32\toabbbeq.dll
O2 - BHO: (no name) - {DFD546EA-E0B0-493B-8B75-E0C9F70D17D7} - C:\WINDOWS\system32\jkkJyYqr.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [309745b5] rundll32.exe "C:\WINDOWS\system32\noxlupra.dll",b
O4 - HKLM\..\Run: [BM33a47629] Rundll32.exe "C:\WINDOWS\system32\oqifagfs.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O20 - Winlogon Notify: iifcCuSL - iifcCuSL.dll (file missing)
O20 - Winlogon Notify: vtuvurq - vtuvurq.dll (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8631 bytes

-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 23:32:44 0 d-------- C:\Program Files\Common Files\Java
2008-05-18 23:08:35 133696 --a------ C:\WINDOWS\system32\toabbbeq.dll
2008-05-18 23:08:33 2112 --a------ C:\WINDOWS\system32\twpdixci.exe
2008-05-18 23:05:33 116288 --a------ C:\WINDOWS\system32\noxlupra.dll
2008-05-18 23:02:33 126016 --a------ C:\WINDOWS\system32\oqifagfs.dll
2008-05-17 03:38:47 115776 --a------ C:\WINDOWS\system32\vsjoijqd.dll
2008-05-17 03:32:47 133696 --a------ C:\WINDOWS\system32\runvyvtp.dll
2008-05-17 03:30:22 2112 --a------ C:\WINDOWS\system32\putmseyc.exe
2008-05-17 03:29:47 125504 --a------ C:\WINDOWS\system32\upfvswed.dll
2008-05-17 00:46:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 00:46:17 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 03:35:00 2112 --a------ C:\WINDOWS\system32\bbvhlyug.exe
2008-05-16 03:31:56 133696 --a------ C:\WINDOWS\system32\uahklaqt.dll
2008-05-16 03:28:59 126528 -----n--- C:\WINDOWS\system32\qctfljog.dll
2008-05-15 02:11:01 2112 --a------ C:\WINDOWS\system32\ubgxmlvt.exe
2008-05-14 04:23:51 2112 --a------ C:\WINDOWS\system32\cdwfvvqb.exe
2008-05-14 04:20:49 1347980 --ahs---- C:\WINDOWS\system32\rqYyJkkj.ini2
2008-05-14 04:20:42 369664 --a------ C:\WINDOWS\system32\jkkJyYqr.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-18 23:33:42 0 d-------- C:\Program Files\Java
2008-05-18 23:32:44 0 d-------- C:\Program Files\Common Files
2008-05-15 23:38:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-14 03:30:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-14 03:28:41 0 d-------- C:\Program Files\DivX
2008-05-11 00:36:45 0 d---s---- C:\Program Files\Xfire
2008-05-09 01:40:56 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Xfire
2008-05-08 03:17:41 0 d-------- C:\Program Files\Zoom Player
2008-05-08 03:17:10 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Azureus
2008-05-08 03:01:29 0 d-------- C:\Program Files\Azureus
2008-04-16 23:07:36 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Adobe
2008-03-20 00:51:59 2552 --a------ C:\WINDOWS\unins000.dat
2008-03-20 00:51:25 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{dc593167-7154-4482-ab7b-acb79c894693}]
05/18/2008 11:08 PM 133696 --a------ C:\WINDOWS\system32\toabbbeq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFD546EA-E0B0-493B-8B75-E0C9F70D17D7}]
05/14/2008 04:20 AM 369664 --a------ C:\WINDOWS\system32\jkkJyYqr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 10:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 10:47 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [02/07/2006 10:12 AM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [02/07/2006 10:12 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/28/2005 05:55 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/28/2005 05:52 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/28/2005 05:55 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [08/02/2006 01:38 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [08/02/2006 01:32 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"309745b5"="C:\WINDOWS\system32\noxlupra.dll" [05/18/2008 11:05 PM]
"BM33a47629"="C:\WINDOWS\system32\oqifagfs.dll" [05/18/2008 11:02 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [12/18/2007 09:47 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 06:35 PM]
"@"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcCuSL]
iifcCuSL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvurq]
vtuvurq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkJyYqr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff49ac8b-10ec-11db-8f27-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-05-18 23:38:12 ------------

Again, thank you Sam!!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 19 May 2008 - 07:37 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: {396498c9-7bca-b7ba-2844-4517761395cd} - {dc593167-7154-4482-ab7b-acb79c894693} - C:\WINDOWS\system32\toabbbeq.dll
O2 - BHO: (no name) - {DFD546EA-E0B0-493B-8B75-E0C9F70D17D7} - C:\WINDOWS\system32\jkkJyYqr.dll
O4 - HKLM\..\Run: [309745b5] rundll32.exe "C:\WINDOWS\system32\noxlupra.dll",b
O4 - HKLM\..\Run: [BM33a47629] Rundll32.exe "C:\WINDOWS\system32\oqifagfs.dll",s
O20 - Winlogon Notify: iifcCuSL - iifcCuSL.dll (file missing)
O20 - Winlogon Notify: vtuvurq - vtuvurq.dll (file missing)



Reboot your computer.


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 19 May 2008 - 03:48 PM

I was able to get rid of the other lines, but the system32\toabbbeq.dll did not show up on the any of the scans i did, and the system32\jkkJyYqr.dll is not letting me delete it. It keeps saying that it is being used by another program. I've tried deleting it thru Dos mode and i still get the same reply

O2 - BHO: {396498c9-7bca-b7ba-2844-4517761395cd} - {dc593167-7154-4482-ab7b-acb79c894693} - C:\WINDOWS\system32\toabbbeq.dll
O2 - BHO: (no name) - {DFD546EA-E0B0-493B-8B75-E0C9F70D17D7} - C:\WINDOWS\system32\jkkJyYqr.dll

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 19 May 2008 - 05:46 PM

Yeah, you won't be able to delete it. Please proceed with the next step I posted and run Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 19 May 2008 - 10:50 PM

Hey Sam
Here is the most recent DSS, and the ComboFix.txt. Let me know how it looks. Can you recommend a better firewall, or virus scan to help stop this from happening again?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:53 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C72C675-34F6-4C4A-ABF6-6844708F651B} - C:\WINDOWS\system32\jkkJyYqr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8282 bytes

Deckard's System Scanner v20071014.68
Run by STUDENT on 2008-05-19 23:44:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 502 MiB (512 MiB recommended).


-- HijackThis (run as STUDENT.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:53 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C72C675-34F6-4C4A-ABF6-6844708F651B} - C:\WINDOWS\system32\jkkJyYqr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8282 bytes

-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 22:02:54 479 --ahs---- C:\WINDOWS\system32\rqYyJkkj.ini2
2008-05-19 13:23:40 68096 --a------ C:\WINDOWS\zip.exe
2008-05-19 13:23:40 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-19 13:23:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-19 13:23:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-19 13:23:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-19 13:23:40 98816 --a------ C:\WINDOWS\sed.exe
2008-05-19 13:23:40 80412 --a------ C:\WINDOWS\grep.exe
2008-05-19 13:23:40 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-18 23:32:44 0 d-------- C:\Program Files\Common Files\Java
2008-05-17 00:46:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 00:46:17 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-14 04:20:42 369664 --a------ C:\WINDOWS\system32\jkkJyYqr.dll


-- Find3M Report ---------------------------------------------------------------

2008-05-18 23:33:42 0 d-------- C:\Program Files\Java
2008-05-18 23:32:44 0 d-------- C:\Program Files\Common Files
2008-05-15 23:38:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-14 03:30:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-14 03:28:41 0 d-------- C:\Program Files\DivX
2008-05-11 00:36:45 0 d---s---- C:\Program Files\Xfire
2008-05-09 01:40:56 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Xfire
2008-05-08 03:17:41 0 d-------- C:\Program Files\Zoom Player
2008-05-08 03:17:10 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Azureus
2008-05-08 03:01:29 0 d-------- C:\Program Files\Azureus
2008-04-16 23:07:36 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Adobe
2008-03-20 00:51:59 2552 --a------ C:\WINDOWS\unins000.dat
2008-03-20 00:51:25 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C72C675-34F6-4C4A-ABF6-6844708F651B}]
05/14/2008 04:20 AM 369664 --a------ C:\WINDOWS\system32\jkkJyYqr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 10:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 10:47 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [02/07/2006 10:12 AM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [02/07/2006 10:12 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/28/2005 05:55 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/28/2005 05:52 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/28/2005 05:55 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [08/02/2006 01:38 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [08/02/2006 01:32 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [12/18/2007 09:47 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 06:35 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkJyYqr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff49ac8b-10ec-11db-8f27-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-05-19 23:45:33 ------------

ComboFix 08-05-15.3 - STUDENT 2008-05-19 20:05:51.1 - NTFSx86
Running from: C:\Documents and Settings\STUDENT\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\arpulxon.ini
C:\WINDOWS\system32\bbvhlyug.exe
C:\WINDOWS\system32\cdwfvvqb.exe
C:\WINDOWS\system32\dqjiojsv.ini
C:\WINDOWS\system32\gxowexwc.ini
C:\WINDOWS\system32\gzmrot-uninst.exe
C:\WINDOWS\system32\hrpkhlow.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nibndlkl.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\putmseyc.exe
C:\WINDOWS\system32\rqYyJkkj.ini
C:\WINDOWS\system32\rqYyJkkj.ini2
C:\WINDOWS\system32\twpdixci.exe
C:\WINDOWS\system32\ubgxmlvt.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-18 23:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-18 23:32 . 2008-05-18 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-18 23:08 . 2008-05-18 23:08 133,696 --------- C:\WINDOWS\system32\toabbbeq.dll_old
2008-05-17 03:38 . 2008-05-17 03:38 115,776 --------- C:\WINDOWS\system32\vsjoijqd.dll_old
2008-05-17 03:32 . 2008-05-17 03:32 133,696 --------- C:\WINDOWS\system32\runvyvtp.dll_old
2008-05-17 03:29 . 2008-05-17 03:29 125,504 --------- C:\WINDOWS\system32\upfvswed.dll_old
2008-05-17 02:39 . 2008-05-17 02:39 <DIR> d-------- C:\Deckard
2008-05-17 00:46 . 2008-05-17 00:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 00:46 . 2008-05-17 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 03:31 . 2008-05-16 03:31 133,696 --------- C:\WINDOWS\system32\uahklaqt.dll_old
2008-05-14 04:22 . 2008-05-19 03:30 109,803 --a------ C:\WINDOWS\BM33a47629.xml
2008-05-14 04:20 . 2008-05-14 04:20 369,664 --a------ C:\WINDOWS\system32\jkkJyYqr.dll
2008-04-29 20:58 . 2008-04-29 20:58 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 03:33 --------- d-----w C:\Program Files\Java
2008-05-16 03:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 07:30 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-14 07:28 --------- d-----w C:\Program Files\DivX
2008-05-11 04:36 --------- d-s---w C:\Program Files\Xfire
2008-05-09 05:40 --------- d-----w C:\Documents and Settings\STUDENT\Application Data\Xfire
2008-05-08 07:17 --------- d-----w C:\Program Files\Zoom Player
2008-05-08 07:17 --------- d-----w C:\Documents and Settings\STUDENT\Application Data\Azureus
2008-05-08 07:01 --------- d-----w C:\Program Files\Azureus
2008-04-12 14:03 --------- d-----w C:\Documents and Settings\Nicole\Application Data\Apple Computer
2008-03-20 05:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 04:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-20 04:51 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C15C10C7-01A6-4D57-BA1A-88336CF4DD32}]
2008-05-14 04:20 369664 --a------ C:\WINDOWS\system32\jkkJyYqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 18:35 3587120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-02-07 10:12 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-02-07 10:12 36864]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 17:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 17:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 17:55 118784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32 696320]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-02-13 04:23 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-01-20 01:34 544768 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1585:UDP"= 1585:UDP:Windows Media Format SDK (iexplore.exe)
"1584:UDP"= 1584:UDP:Windows Media Format SDK (iexplore.exe)

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2006-02-07 10:14]
S3 ce2ps;Xircom CreditCard Ethernet Adapter IIps Driver;C:\WINDOWS\system32\DRIVERS\ce2n5.sys [2001-08-17 12:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff49ac8b-10ec-11db-8f27-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 00:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
- c:\PROGRA~1\mcafee.com\agent
"2008-05-20 00:18:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
"2008-05-20 00:14:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 20:12:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\SoftwareDistribution\Download\b0264899240408ce315fe572c84c0e59\update\update.exe
.
**************************************************************************
.
Completion time: 2008-05-19 20:19:58 - machine was rebooted [STUDENT]
ComboFix-quarantined-files.txt 2008-05-20 00:19:24

Pre-Run: 18,926,714,880 bytes free
Post-Run: 19,871,145,984 bytes free

171 --- E O F --- 2008-05-08 22:53:54


Thanks again

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 20 May 2008 - 01:26 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\toabbbeq.dll_old
C:\WINDOWS\system32\vsjoijqd.dll_old
C:\WINDOWS\system32\runvyvtp.dll_old
C:\WINDOWS\system32\upfvswed.dll_old
C:\WINDOWS\system32\uahklaqt.dll_old
C:\WINDOWS\system32\jkkJyYqr.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C15C10C7-01A6-4D57-BA1A-88336CF4DD32}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.




Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 20 May 2008 - 09:04 PM

ComboFix 08-05-15.3 - STUDENT 2008-05-20 21:47:27.2 - NTFSx86
Running from: C:\Documents and Settings\STUDENT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\STUDENT\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\jkkJyYqr.dll
C:\WINDOWS\system32\runvyvtp.dll_old
C:\WINDOWS\system32\toabbbeq.dll_old
C:\WINDOWS\system32\uahklaqt.dll_old
C:\WINDOWS\system32\upfvswed.dll_old
C:\WINDOWS\system32\vsjoijqd.dll_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jkkJyYqr.dll
C:\WINDOWS\system32\oegvhwdd.ini
C:\WINDOWS\system32\rqYyJkkj.ini
C:\WINDOWS\system32\rqYyJkkj.ini2
C:\WINDOWS\system32\upfvswed.dll_old
C:\WINDOWS\system32\vsjoijqd.dll_old

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 00:47 . 2008-05-20 00:47 2,624 --a------ C:\WINDOWS\system32\quuxiaek.exe
2008-05-18 23:33 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-18 23:32 . 2008-05-18 23:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-17 02:39 . 2008-05-17 02:39 <DIR> d-------- C:\Deckard
2008-05-17 00:46 . 2008-05-17 00:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 00:46 . 2008-05-17 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 04:22 . 2008-05-20 00:44 109,803 --a------ C:\WINDOWS\BM33a47629.xml
2008-04-29 20:58 . 2008-04-29 20:58 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 03:33 --------- d-----w C:\Program Files\Java
2008-05-16 03:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 07:30 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-14 07:28 --------- d-----w C:\Program Files\DivX
2008-05-11 04:36 --------- d-s---w C:\Program Files\Xfire
2008-05-09 05:40 --------- d-----w C:\Documents and Settings\STUDENT\Application Data\Xfire
2008-05-08 07:17 --------- d-----w C:\Program Files\Zoom Player
2008-05-08 07:17 --------- d-----w C:\Documents and Settings\STUDENT\Application Data\Azureus
2008-05-08 07:01 --------- d-----w C:\Program Files\Azureus
2008-04-12 14:03 --------- d-----w C:\Documents and Settings\Nicole\Application Data\Apple Computer
2008-03-20 04:51 691,545 ----a-w C:\WINDOWS\unins000.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_20.18.50.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-05-20 00:11:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 01:51:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 00:23:17 2,888 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{4B58E63C-60E4-4B19-B617-CED497BE3A9F}.bin
- 2004-08-04 19:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2004-08-04 12:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2004-08-04 12:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2004-08-04 12:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2004-08-04 12:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2004-08-04 12:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2004-08-04 12:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2004-08-04 12:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2004-08-04 12:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2004-08-04 12:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2004-08-04 12:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2004-08-04 12:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2004-08-04 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2004-08-04 12:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2004-08-04 12:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2004-08-04 12:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2004-08-04 12:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2004-08-04 12:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2004-08-04 12:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2004-08-04 12:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2004-08-04 12:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2004-08-04 12:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2004-08-04 12:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2004-08-04 12:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2004-08-04 12:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2004-08-04 12:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2004-08-04 12:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2004-08-04 12:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 18:35 3587120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 10:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 10:47 688218]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [2006-02-07 10:12 40960]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [2006-02-07 10:12 36864]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 17:55 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 17:52 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 17:55 118784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 01:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 01:32 696320]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"BM33a47629"="C:\WINDOWS\system32\npqllmox.dll" [ ]
"309745b5"="C:\WINDOWS\system32\ddwhvgeo.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-02-13 04:23 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-01-20 01:34 544768 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1585:UDP"= 1585:UDP:Windows Media Format SDK (iexplore.exe)
"1584:UDP"= 1584:UDP:Windows Media Format SDK (iexplore.exe)

R1 nipplpt2;Novell iCapture Lpt Redirector 2;C:\WINDOWS\system32\drivers\nipplpt.sys [2006-02-07 10:14]
S3 ce2ps;Xircom CreditCard Ethernet Adapter IIps Driver;C:\WINDOWS\system32\DRIVERS\ce2n5.sys [2001-08-17 12:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff49ac8b-10ec-11db-8f27-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 01:58:00 C:\WINDOWS\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job"
- c:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- c:\PROGRA~1\mcafee.com\agent.SYSTEMPMcAfee SecurityCenter periodically checks for updates for your McAfee Services.
"2008-05-21 01:58:00 C:\WINDOWS\Tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
"2008-05-21 01:55:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 21:53:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP00000001628DFC4AC9D1121C

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-05-20 22:00:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 02:00:20
ComboFix2.txt 2008-05-20 00:20:01

Pre-Run: 19,876,995,072 bytes free
Post-Run: 19,603,595,264 bytes free

259 --- E O F --- 2008-05-20 00:22:25

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 21 May 2008 - 09:59 AM

Please delete this file.

C:\WINDOWS\system32\quuxiaek.exe


Please post the log from Superantispyware once you've run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 22 May 2008 - 06:01 PM

I've deleted the file that you asked for, but the superspyware program is freezing half way through the scan. Should i delete it and reinstall it?

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 23 May 2008 - 09:32 AM

No, let's do this instead. Go ahead and uninstall Superantispyware completely.
Then do this...

Download and scan with the free 15 day trial of Counterspy
Save the report when it's finished:
  • Once Counterspy has done scanning,the 'Scan Results' box will appear.
  • Click on 'View Results'.
  • Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to Remove.
  • Then click on Take Action.
  • Once everything has been removed,click on View Details.
  • Copy and Paste those details into your next reply here.


How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 31 May 2008 - 03:44 AM

Sorry for the long absence. I have uninstalled the Super-Spyware program, and installed CounterSpy as you asked. Here are the results:

Scan History Details
Start Date: 5/31/2008 1:50:55 AM
End Date: 5/31/2008 2:56:03 AM
Total Time: 65 Min 8 Sec
Detected security risks

KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-125418907-1473870041-1183785630-1008\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-125418907-1473870041-1183785630-1008\SOFTWARE\KAZAA\LocalContent


Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-125418907-1473870041-1183785630-1008\SOFTWARE\WGET


Infostealer.Ldpinch Trojan more information...
Status: Deleted

Files detected
C:\WINDOWS\I386\IIS.IN_


Trojan-Downloader.Win32.Agent.aww Trojan Downloader more information...
Status: Deleted

Files detected
C:\WINDOWS\swxcacls.exe


Cookie: Tracking Cookies Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\nicole\cookies\nicole@2o7[2].txt
c:\documents and settings\nicole\cookies\nicole@ad.yieldmanager[2].txt
c:\documents and settings\nicole\cookies\nicole@adrevolver[1].txt
c:\documents and settings\nicole\cookies\nicole@adrevolver[2].txt
c:\documents and settings\nicole\cookies\nicole@ads.pointroll[1].txt
c:\documents and settings\nicole\cookies\nicole@adsremote.scripps[1].txt
c:\documents and settings\nicole\cookies\nicole@advertising[1].txt
c:\documents and settings\nicole\cookies\nicole@amazon[1].txt
c:\documents and settings\nicole\cookies\nicole@atdmt[2].txt
c:\documents and settings\nicole\cookies\nicole@bluestreak[2].txt
c:\documents and settings\nicole\cookies\nicole@cookie.monster[1].txt
c:\documents and settings\nicole\cookies\nicole@doubleclick[1].txt
c:\documents and settings\nicole\cookies\nicole@ehg-dig.hitbox[2].txt
c:\documents and settings\nicole\cookies\nicole@emjcd[2].txt
c:\documents and settings\nicole\cookies\nicole@go[1].txt
c:\documents and settings\nicole\cookies\nicole@hitbox[2].txt
c:\documents and settings\nicole\cookies\nicole@mediaplex[1].txt
c:\documents and settings\nicole\cookies\nicole@questionmarket[2].txt
c:\documents and settings\nicole\cookies\nicole@realmedia[1].txt
c:\documents and settings\nicole\cookies\nicole@tribalfusion[1].txt
c:\documents and settings\nicole\cookies\nicole@zedo[2].txt

The computer is running much better so far. I do have 2 error messages that appear right after I login and the system is booting up. They are RUNDLL ERROR messages. The first is Error Loading C:\Windows\system32\npqllmor.dll and the second is c:\Windows\system32\ddwhugeo.dll. Not sure what they are but the popups have stopped, and my battery life seems to be returning to normal.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:45 PM

Posted 31 May 2008 - 07:27 PM

We're just about done here. Please post a new log from DSS.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Perrin76

Perrin76
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 02 June 2008 - 11:00 PM

Here is the dss report, and I miss typed the DLL error. It reads C:\Windows\system32\npqllmox.dll.

Deckard's System Scanner v20071014.68
Run by STUDENT on 2008-06-02 23:53:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 95% (more than 75%).
Total Physical Memory: 502 MiB (512 MiB recommended).
System Drive C: has 6.3 GiB (less than 15%) free.


-- HijackThis (run as STUDENT.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:02 PM, on 6/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM33a47629] Rundll32.exe "C:\WINDOWS\system32\npqllmox.dll",s
O4 - HKLM\..\Run: [309745b5] rundll32.exe "C:\WINDOWS\system32\ddwhvgeo.dll",b
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 9050 bytes

-- Files created between 2008-05-02 and 2008-06-02 -----------------------------

2008-06-02 00:50:48 0 d-------- C:\Program Files\ATI Technologies
2008-06-02 00:49:07 0 d-------- C:\cabs
2008-05-31 14:48:48 0 d-------- C:\Documents and Settings\Nicole\Application Data\Sunbelt Software
2008-05-31 01:50:55 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-05-31 01:50:55 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-05-31 01:43:47 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Sunbelt Software
2008-05-31 01:43:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-05-31 01:42:45 0 d-------- C:\Program Files\Sunbelt Software
2008-05-22 00:22:24 0 d-------- C:\WINDOWS\system32\scripting
2008-05-22 00:22:21 0 d-------- C:\WINDOWS\l2schemas
2008-05-22 00:22:20 0 d-------- C:\WINDOWS\system32\en
2008-05-22 00:22:19 0 d-------- C:\WINDOWS\system32\bits
2008-05-22 00:17:13 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-22 00:14:14 0 d-------- C:\WINDOWS\network diagnostic
2008-05-20 22:08:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-20 22:08:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-20 22:08:12 0 d-------- C:\Documents and Settings\STUDENT\Application Data\SUPERAntiSpyware.com
2008-05-19 13:23:40 68096 --a------ C:\WINDOWS\zip.exe
2008-05-19 13:23:40 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-19 13:23:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-19 13:23:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-19 13:23:40 98816 --a------ C:\WINDOWS\sed.exe
2008-05-19 13:23:40 80412 --a------ C:\WINDOWS\grep.exe
2008-05-19 13:23:40 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-18 23:32:44 0 d-------- C:\Program Files\Common Files\Java
2008-05-17 00:46:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 00:46:17 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2008-06-02 03:13:43 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Xfire
2008-06-02 00:50:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 00:08:03 0 d---s---- C:\Program Files\Xfire
2008-06-01 03:31:47 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-01 03:28:07 0 d-------- C:\Documents and Settings\STUDENT\Application Data\AdobeUM
2008-05-31 01:37:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-22 00:23:08 0 d-------- C:\Program Files\Messenger
2008-05-22 00:22:19 0 d-------- C:\Program Files\Movie Maker
2008-05-22 00:16:45 0 d-------- C:\Program Files\Windows NT
2008-05-18 23:33:42 0 d-------- C:\Program Files\Java
2008-05-18 23:32:44 0 d-------- C:\Program Files\Common Files
2008-05-14 03:30:55 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-14 03:28:41 0 d-------- C:\Program Files\DivX
2008-05-08 03:17:41 0 d-------- C:\Program Files\Zoom Player
2008-05-08 03:17:10 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Azureus
2008-05-08 03:01:29 0 d-------- C:\Program Files\Azureus
2008-04-16 23:07:36 0 d-------- C:\Documents and Settings\STUDENT\Application Data\Adobe
2008-03-20 00:51:59 2552 --a------ C:\WINDOWS\unins000.dat
2008-03-20 00:51:25 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/05/2004 10:47 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/05/2004 10:47 AM]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [09/22/2004 08:00 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"iPrint Tray"="C:\WINDOWS\system32\iprntctl.exe" [02/07/2006 10:12 AM]
"iPrint Event Monitor"="C:\WINDOWS\system32\iprntlgn.exe" [02/07/2006 10:12 AM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [11/28/2005 05:55 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [11/28/2005 05:52 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [11/28/2005 05:55 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [08/02/2006 01:38 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [08/02/2006 01:32 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 11:46 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/2005 03:30 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/2005 04:30 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"BM33a47629"="C:\WINDOWS\system32\npqllmox.dll" []
"309745b5"="C:\WINDOWS\system32\ddwhvgeo.dll" []
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [12/21/2007 03:30 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [12/18/2007 09:47 PM]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [04/01/2008 06:35 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff49ac8b-10ec-11db-8f27-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - SBAPIFS



-- End of Deckard's System Scanner: finished at 2008-06-02 23:58:15 ------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:02 PM, on 6/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\STUDENT\Desktop\hijackthis\dss.exe
C:\DOCUME~1\STUDENT\Desktop\HIJACK~1\STUDENT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM33a47629] Rundll32.exe "C:\WINDOWS\system32\npqllmox.dll",s
O4 - HKLM\..\Run: [309745b5] rundll32.exe "C:\WINDOWS\system32\ddwhvgeo.dll",b
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154010406437
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191649991437
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 9050 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users