Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Systemdefender/virtumonde Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 cferreira

cferreira

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 17 May 2008 - 08:59 PM

Deckard's System Scanner v20071014.68
Run by jebanks on 2008-05-17 20:44:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-05-18 01:45:22 UTC - RP327 - Deckard's System Scanner Restore Point
1: 2008-05-17 19:19:38 UTC - RP326 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as jebanks.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:01 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPNRA.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\temp\KRlyCLis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JEbanks\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jebanks.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CenterLock\CenterLock.dll
O2 - BHO: (no name) - {2E529F87-2B52-438C-9E7C-7D0A0DD910BA} - C:\WINDOWS\system32\wvUkJBrO.dll
O2 - BHO: (no name) - {354141F1-5C82-4395-B179-3AE6A12C33ED} - C:\WINDOWS\system32\tuvWpqPH.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B1BF38C7-4E65-4D8D-ABB0-EBE169098AFC} - C:\WINDOWS\system32\yATNeDwW.dll (file missing)
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw6e\TMIETB.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: pvnsmfor - {E738884B-E75D-4AC3-B03F-62F7E7DD853E} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9534] command /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9215] cmd /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135268256531
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://terminal.enetsolutions.net/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://terminal.esclawyers.com/tsweb/msrdp.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.enetsolutions.net/inc/kaxRemote.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pm.webex.com/client/v_mywebex-t20/s...ort/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O17 - HKLM\Software\..\Telephony: DomainName = ESCLAWYERS.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O20 - Winlogon Notify: CLSID - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: wvUkJBrO - C:\WINDOWS\SYSTEM32\wvUkJBrO.dll
O21 - SSODL: mpfanvqg - {B9810075-D223-413B-AC9F-702A81B16614} - C:\WINDOWS\mpfanvqg.dll
O21 - SSODL: vbksrofa - {37FE3901-1297-4E81-BC2B-3EE2AB61DD1E} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 14832 bytes

-- File Associations -----------------------------------------------------------

.com - unable to read key
.com - unable to read key
.pif - unable to read key
.reg - unable to read key
.reg - unable to read key
.reg - unable to read key
.scr - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Emt64 - c:\windows\system32\drivers\emt64.sys
R0 yhP87 - c:\windows\system32\drivers\yhp87.sys
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 tcpipBM (Bytemobile Kernel Network Provider) - c:\windows\system32\drivers\tcpipbm.sys <Not Verified; Bytemobile, Inc.; Bytemobile Optimization Client>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 SMNDIS5 (SMNDIS5 NDIS Protocol Driver) - c:\progra~1\verizo~1\vzacce~1\smndis5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 bmwebcfg (Bytemobile Web Configurator) - "c:\windows\system32\bmwebcfg.exe" <Not Verified; Bytemobile, Inc.; Bytemobile Optimization Client>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 Iap - "c:\program files\dell\openmanage\client\iap.exe" <Not Verified; Dell Inc; OpenManage Client Instrumentation>
R2 KaseyaAgent (Kaseya Agent) - "c:\program files\kaseya\agent\agentmon.exe" -s <Not Verified; Kaseya; Virtual System Administrator Agent>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>
R2 WinVNC4 (VNC Server Version 4) - "c:\program files\realvnc\vnc4\winvnc4.exe" -service <Not Verified; RealVNC Ltd.; VNC Server Free Edition>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
R3 HP Port Resolver - c:\windows\system32\spool\drivers\w32x86\3\hpbpro.exe <Not Verified; Hewlett-Packard Company; PortResolver Module>
R3 HP Status Server - c:\windows\system32\spool\drivers\w32x86\3\hpboid.exe <Not Verified; Hewlett-Packard Company; HP Status Server>

S2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
S2 Venturi2 (Venturi Client) - c:\program files\verizon wireless\venturi\client\ventc.exe <Not Verified; Venturi Wireless; VentC>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-17 13:56:44 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-16 12:27:11 368 --a------ C:\WINDOWS\Tasks\backup.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 15:14:15 0 d-------- C:\Program Files\Trend Micro
2008-05-17 13:53:16 0 d-------- C:\Program Files\Windows Defender
2008-05-17 13:40:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-17 10:17:56 91264 --a------ C:\WINDOWS\system32\otgjcdwi.dll
2008-05-17 10:10:10 91264 --a------ C:\WINDOWS\system32\avwrhaaq.dll
2008-05-16 14:52:02 1241938 --ahs---- C:\WINDOWS\system32\HPqpWvut.ini2
2008-05-16 13:12:01 0 d-------- C:\Program Files\RealVNC
2008-05-16 11:35:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:18:42 0 d-------- C:\Program Files\CenterLock
2008-05-16 10:57:09 0 d-------- C:\Documents and Settings\JEbanks\Application Data\TmpRecentIcons
2008-05-16 10:22:35 14336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-16 10:22:35 29056 --a------ C:\WINDOWS\system32\drivers\yhP87.sys
2008-05-15 17:07:24 91264 --a------ C:\WINDOWS\system32\oqvmxcii.dll
2008-05-15 17:06:21 1311426 --ahs---- C:\WINDOWS\system32\WwDeNTAy.ini2
2008-05-15 17:01:41 12288 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-05-15 17:01:41 27008 --a------ C:\WINDOWS\system32\drivers\Emt64.sys
2008-05-15 17:01:11 29312 --a------ C:\WINDOWS\system32\wvUkJBrO.dll
2008-05-15 17:00:51 196608 --a------ C:\WINDOWS\mpfanvqg.dll
2008-05-15 17:00:50 94208 --a------ C:\WINDOWS\exqb.exe
2008-05-15 13:42:24 0 d-------- C:\Program Files\MSXML 6.0
2008-05-15 13:14:52 262144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-05-15 13:14:48 0 d---s---- C:\Documents and Settings\ENET\Cookies
2008-05-15 13:14:48 0 dr-h----- C:\Documents and Settings\ENET\Application Data
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Sun
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Sonic
2008-05-15 13:14:48 0 d---s---- C:\Documents and Settings\ENET\Application Data\Microsoft
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Intel
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Identities
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\Templates
2008-05-15 13:14:47 0 dr------- C:\Documents and Settings\ENET\Start Menu
2008-05-15 13:14:47 0 dr-h----- C:\Documents and Settings\ENET\SendTo
2008-05-15 13:14:47 0 dr-h----- C:\Documents and Settings\ENET\Recent
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\PrintHood
2008-05-15 13:14:47 1835008 --ah----- C:\Documents and Settings\ENET\NTUSER.DAT
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\NetHood
2008-05-15 13:14:47 0 dr------- C:\Documents and Settings\ENET\My Documents
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\Local Settings
2008-05-15 13:14:47 0 dr------- C:\Documents and Settings\ENET\Favorites
2008-05-15 13:14:47 0 d-------- C:\Documents and Settings\ENET\Desktop
2008-05-15 12:55:31 135168 --a------ C:\WINDOWS\system32\kaseyasp.dll <Not Verified; Kaseya; Kaseya Agent Internet Access Protection Extension>
2008-05-15 12:55:26 0 d-------- C:\Program Files\Kaseya
2008-04-24 13:59:35 0 d-------- C:\Documents and Settings\JEbanks\Application Data\Help
2008-04-21 09:40:21 0 d-------- C:\O'Connor's Forms


-- Find3M Report ---------------------------------------------------------------

2008-05-15 12:55:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 14:31:24 23528 --a------ C:\Documents and Settings\JEbanks\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
03/27/2008 08:43 AM 247296 --a------ C:\Program Files\CenterLock\CenterLock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}]
05/15/2008 05:01 PM 29312 --a------ C:\WINDOWS\system32\wvUkJBrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354141F1-5C82-4395-B179-3AE6A12C33ED}]
C:\WINDOWS\system32\tuvWpqPH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BF38C7-4E65-4D8D-ABB0-EBE169098AFC}]
C:\WINDOWS\system32\yATNeDwW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [01/24/2008 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [03/27/2007 03:06 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 08:08 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe" [09/25/2006 07:52 PM]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 05:00 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [09/01/2005 06:24 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [09/13/2004 05:33 PM]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [10/18/2007 12:08 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [03/07/2008 01:12 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA9534"=command /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
"SpybotDeletingC9215"=cmd /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [12/14/2006 5:17:12 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2/25/2008 12:29:45 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}"= C:\WINDOWS\system32\wvUkJBrO.dll [05/15/2008 05:01 PM 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {B9810075-D223-413B-AC9F-702A81B16614} - C:\WINDOWS\mpfanvqg.dll [05/15/2008 10:41 AM 196608]
"vbksrofa"= {37FE3901-1297-4E81-BC2B-3EE2AB61DD1E} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 05:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 05/17/2008 10:15 AM 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 05/17/2008 10:15 AM 12288 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUkJBrO]
wvUkJBrO.dll 05/15/2008 05:01 PM 29312 C:\WINDOWS\system32\wvUkJBrO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\tuvWpqPH

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Emt64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yhP87.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


*Newly Created Service* - HP_PORT_RESOLVER
*Newly Created Service* - HP_STATUS_SERVER
*Newly Created Service* - RDPWD
*Newly Created Service* - TDTCP
*Newly Created Service* - WINDEFEND



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8382 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-17 20:50:21 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 2.26GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 2047.39 MiB / 1177.89 MiB
Pagefile Memory (total/avail): 5986.13 MiB / 5263.68 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.64 MiB

C: is Fixed (NTFS) - 93.1 GiB total, 61.2 GiB free.
D: is CDROM (No Media)
F: is Network (NTFS)
P: is Network (NTFS)
Q: is Network (Unformatted)
R: is Network (Unformatted)
T: is Network (NTFS)

\\.\PHYSICALDRIVE0 - Hitachi HTS721010G9AT00 - 93.16 GiB - 2 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 (bootable) - Installable File System - 93.1 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Verizon Wireless\\VZAccess Manager\\VZAccess Manager.exe"="C:\\Program Files\\Verizon Wireless\\VZAccess Manager\\VZAccess Manager.exe:*:Enabled:VZAccess Manager"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1137426204\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1137426204\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1137426204\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137426204\\EE\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Verizon Wireless\\VZAccess Manager\\VZAccess Manager.exe"="C:\\Program Files\\Verizon Wireless\\VZAccess Manager\\VZAccess Manager.exe:*:Enabled:VZAccess Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"="C:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe:*:Enabled:SwiApiMux"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JEbanks\Application Data
CI_HOLOS_CLI=C:\Program Files\Seagate Software\Open Olap\
CLASSPATH=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ESCJDE
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JEbanks
LOGONSERVER=\\ESCEX1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=RDP-Tcp#10
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JEbanks\LOCALS~1\Temp
TMP=C:\DOCUME~1\JEbanks\LOCALS~1\Temp
USERDNSDOMAIN=ESCLAWYERS.COM
USERDOMAIN=ESCLAWYERS
USERNAME=jebanks
USERPROFILE=C:\Documents and Settings\JEbanks
VSEDEFLOGDIR=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JEbanks (admin)
TTaylor.ESCLAWYERS
Administrator.ESCLAWYERS (admin)
James D Ebanks (admin)
ENET (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\MHLAW40\Uninst.isu
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> MsiExec.exe /I{9579E862-5FC7-4337-B1CC-5E37451524C5}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 7.0 Corporate Edition --> MsiExec.exe /I{ACF70000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 8.1.2 Standard --> msiexec /I {AC76BA86-1033-0000-BA7E-000000000003}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
AT&T Communication Manager --> MsiExec.exe /X{A81BFA08-5D4C-4D4C-ACEF-BF558C70D99D}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BlackBerry Desktop Software 4.2.1 --> MsiExec.exe /i{D5FF3187-EEED-4AA1-BC3A-F2FF30560EDF}
BlackBerry Desktop Software 4.2.1 --> MsiExec.exe /I{D5FF3187-EEED-4AA1-BC3A-F2FF30560EDF}
Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{64A77F14-0E08-4A97-A859-E93CFF428756} /l1033
Broadcom ASF Management Applications --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon iP90 --> C:\WINDOWS\system32\CNMCP71.exe "-PRINTERNAMECanon iP90" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon iP90 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon iP90 Installer\Inst2\cnmi0409.dll"
Canon iP90 Setup Utility --> "C:\Program Files\Canon\Canon iP90 Setup Utility\Maint.exe" /Uninstall C:\Program Files\Canon\Canon iP90 Setup Utility\uninst.ini
Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon PhotoRecord --> MsiExec.exe /X{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe C:\Program Files\Canon\Easy-PhotoPrint\uninst.ini
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
CenterLock --> "C:\Program Files\CenterLock\Uninstall.exe"
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Crystal Reports --> MsiExec.exe /I{7699B723-9718-41DE-8C18-549F341C02CE}
Curitel PC Card Software --> C:\Program Files\Verizon Wireless\PC5740\PWI_Uninstall.exe
Dictaphone Walkabout Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0FF755A3-2FC0-4A32-8EFF-5B576D334604}\Setup.exe" -l0x9
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Driver Installer --> MsiExec.exe /X{753D852A-D86D-42C9-9978-40AE66FB8985}
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaseya Agent --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setup.exe" UNINSTALL
McAfee VirusScan Enterprise --> MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Nokia Connectivity Adapter Cable DKU-5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1BA3CD5-89DC-4273-8603-A75F33E9B335}\Setup.exe" -l0x9
O'Connor's Texas Causes of Action Pleadings on CD 2008 --> C:\O'Connor's Forms\2008 O'Connor's Texas Causes of Action Pleadings on CD\Uninstall.exe
O2Micro Smartcard Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7FE1E97D-B93B-4817-8BC2-19C0347F4DB4} /l1033
OMCI --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
PCLaw Quick Tour and Lessons --> C:\PROGRA~1\PCLawQTL\UNWISE.EXE C:\PROGRA~1\PCLawQTL\INSTALL.LOG
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 SET_LIM_RADIO - ALL
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Sanction II Version 2.6 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\SanctionII\SANCTIONII6.UNI"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Texas Pattern Jury Charges - Business 2006 --> C:\WINDOWS\iun6002.exe "C:\Texas PJC - Business 2006\UnInstall\gen.ini"
Texas Pattern Jury Charges - General Negligence 2006 --> C:\WINDOWS\iun6002.exe "C:\Texas PJC - General Negligence 2006\UnInstall\gen.ini"
Texas Pattern Jury Charges - Malpractice 2006 --> C:\WINDOWS\iun6002.exe "C:\Texas PJC - Malpractice 2006\UnInstall\gen.ini"
Time Matters 6.0 Enterprise - Legal Series --> C:\tmw6e\UNWISE.EXE C:\tmw6e\install.log
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
Uninstall PCLaw --> C:\PROGRA~1\ACG\PCLAW32\UNINSTAL.EXE
User Profile Hive Cleanup Service --> MsiExec.exe /I{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}
Venturi Client 3.1.4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C59FA2E-EEDA-41FA-90AC-F8FCBD032E85}\Setup.exe" -l0x9 -vuninstall
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Installer Clean Up --> MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type11041 / Error
Event Submitted/Written: 05/17/2008 10:05:37 AM
Event ID/Source: 1502 / Userenv
Event Description:
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - The process cannot access the file because it is being used by another process.

Event Record #/Type11040 / Warning
Event Submitted/Written: 05/17/2008 09:43:06 AM
Event ID/Source: 258 / McLogEvent
Event Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).

Event Record #/Type11039 / Warning
Event Submitted/Written: 05/17/2008 09:41:01 AM
Event ID/Source: 258 / McLogEvent
Event Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).

Event Record #/Type11037 / Error
Event Submitted/Written: 05/16/2008 00:02:32 PM
Event ID/Source: 1515 / Userenv
Event Description:
Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Event Record #/Type11036 / Error
Event Submitted/Written: 05/16/2008 00:02:21 PM
Event ID/Source: 1511 / Userenv
Event Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type26578 / Warning
Event Submitted/Written: 05/17/2008 08:47:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ESCLAWYERS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ESCLAWYERS27 can't undo changes that you allow.

For more information please see the following:
%ESCLAWYERS275

Scan ID: {D102CFE4-22DD-46E3-B87D-BDEEC7F5F423}

User: ESCLAWYERS\Jebanks

Name: %ESCLAWYERS271

ID: %ESCLAWYERS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ESCLAWYERS276

Alert Type: %ESCLAWYERS278

Detection Type: 1.1.1593.02

Event Record #/Type26577 / Warning
Event Submitted/Written: 05/17/2008 08:47:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ESCLAWYERS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ESCLAWYERS27 can't undo changes that you allow.

For more information please see the following:
%ESCLAWYERS275

Scan ID: {F34BE081-979D-4FFA-862E-1B0C61EE41BF}

User: ESCLAWYERS\Jebanks

Name: %ESCLAWYERS271

ID: %ESCLAWYERS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ESCLAWYERS276

Alert Type: %ESCLAWYERS278

Detection Type: 1.1.1593.02

Event Record #/Type26576 / Warning
Event Submitted/Written: 05/17/2008 08:47:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ESCLAWYERS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ESCLAWYERS27 can't undo changes that you allow.

For more information please see the following:
%ESCLAWYERS275

Scan ID: {0A8C17F1-FB38-4353-BAE8-083CFA4B8AC5}

User: ESCLAWYERS\Jebanks

Name: %ESCLAWYERS271

ID: %ESCLAWYERS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ESCLAWYERS276

Alert Type: %ESCLAWYERS278

Detection Type: 1.1.1593.02

Event Record #/Type26575 / Warning
Event Submitted/Written: 05/17/2008 08:47:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ESCLAWYERS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ESCLAWYERS27 can't undo changes that you allow.

For more information please see the following:
%ESCLAWYERS275

Scan ID: {32CA24D9-8A22-4B76-93F6-906159C5D50D}

User: ESCLAWYERS\Jebanks

Name: %ESCLAWYERS271

ID: %ESCLAWYERS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ESCLAWYERS276

Alert Type: %ESCLAWYERS278

Detection Type: 1.1.1593.02

Event Record #/Type26574 / Warning
Event Submitted/Written: 05/17/2008 08:47:29 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%ESCLAWYERS27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %ESCLAWYERS27 can't undo changes that you allow.

For more information please see the following:
%ESCLAWYERS275

Scan ID: {64D95ABD-C79C-4B36-AC25-389B43C7CFBE}

User: ESCLAWYERS\Jebanks

Name: %ESCLAWYERS271

ID: %ESCLAWYERS272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %ESCLAWYERS276

Alert Type: %ESCLAWYERS278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-17 20:50:21 ------------



Windows Firewall has been enabled, since the scan.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 18 May 2008 - 10:03 AM

Hello cferreira,

The infection you were dealing with messed with your default file associations, so we have to fix this as well.

Please download DAFT and save it to your desktop:
Double-click the daft.exe icon. Read the disclaimer and click OK.
Click on the Scan button.
Place a checkmark next to the following entries:

.com
.pif
.reg
.scr


Click the Fix button.
Re-scan and save a logfile.
By default, it will save as daft.txt.
Close all other windows and browsers, and press the Fix Checked button.
If everything is ok again, it should display the "all associations ok message".
Please post the daft.txt log.



Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new Deckard System Scanner log.

Edited by SifuMike, 18 May 2008 - 10:09 AM.
spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cferreira

cferreira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 May 2008 - 09:59 AM

The scans have been completed.

This is the VundoFix Log:
VundoFix V7.0.3

Scan started at 9:23:17 AM 5/19/2008

Listing files found while scanning....

No infected files were found.


This is the Deckard System Scanner Log:
Deckard's System Scanner v20071014.68
Run by jebanks on 2008-05-19 09:53:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as jebanks.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:21 AM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\JEbanks\Desktop\Chad Cleanup\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\jebanks.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11CB2C8B-00BD-459D-B40D-420845E2BE2D} - C:\WINDOWS\system32\wvUoNDtQ.dll (file missing)
O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CenterLock\CenterLock.dll
O2 - BHO: (no name) - {2E529F87-2B52-438C-9E7C-7D0A0DD910BA} - C:\WINDOWS\system32\wvUkJBrO.dll
O2 - BHO: (no name) - {354141F1-5C82-4395-B179-3AE6A12C33ED} - C:\WINDOWS\system32\tuvWpqPH.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B1BF38C7-4E65-4D8D-ABB0-EBE169098AFC} - C:\WINDOWS\system32\yATNeDwW.dll (file missing)
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw6e\TMIETB.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: pvnsmfor - {E738884B-E75D-4AC3-B03F-62F7E7DD853E} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [c4192508] rundll32.exe "C:\WINDOWS\system32\tmaaeyeb.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3867] command /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC716] cmd /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7815] command /c del "C:\WINDOWS\system32\wvUoNDtQ.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8938] cmd /c del "C:\WINDOWS\system32\wvUoNDtQ.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135268256531
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://terminal.enetsolutions.net/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://terminal.esclawyers.com/tsweb/msrdp.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.enetsolutions.net/inc/kaxRemote.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pm.webex.com/client/v_mywebex-t20/s...ort/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O17 - HKLM\Software\..\Telephony: DomainName = ESCLAWYERS.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O20 - Winlogon Notify: CLSID - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: wvUkJBrO - C:\WINDOWS\SYSTEM32\wvUkJBrO.dll
O21 - SSODL: vbksrofa - {37FE3901-1297-4E81-BC2B-3EE2AB61DD1E} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14147 bytes

-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 09:23:17 0 d-------- C:\VundoFix Backups
2008-05-19 09:16:39 91264 --a------ C:\WINDOWS\system32\tmaaeyeb.dll
2008-05-19 08:34:30 1238741 --ahs---- C:\WINDOWS\system32\QtDNoUvw.ini2
2008-05-17 21:15:36 3388 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-17 15:14:15 0 d-------- C:\Program Files\Trend Micro
2008-05-17 13:53:16 0 d-------- C:\Program Files\Windows Defender
2008-05-17 13:40:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-17 10:17:56 91264 --a------ C:\WINDOWS\system32\otgjcdwi.dll
2008-05-17 10:10:10 91264 --a------ C:\WINDOWS\system32\avwrhaaq.dll
2008-05-16 14:52:02 1241938 --ahs---- C:\WINDOWS\system32\HPqpWvut.ini2
2008-05-16 13:12:01 0 d-------- C:\Program Files\RealVNC
2008-05-16 11:35:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:18:42 0 d-------- C:\Program Files\CenterLock
2008-05-16 10:57:09 0 d-------- C:\Documents and Settings\JEbanks\Application Data\TmpRecentIcons
2008-05-16 10:22:35 14336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-16 10:22:35 29056 --a------ C:\WINDOWS\system32\drivers\yhP87.sys
2008-05-15 17:07:24 91264 --a------ C:\WINDOWS\system32\oqvmxcii.dll
2008-05-15 17:06:21 1311426 --ahs---- C:\WINDOWS\system32\WwDeNTAy.ini2
2008-05-15 17:01:41 12288 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-05-15 17:01:41 27008 --a------ C:\WINDOWS\system32\drivers\Emt64.sys
2008-05-15 17:01:11 29312 --a------ C:\WINDOWS\system32\wvUkJBrO.dll
2008-05-15 17:00:50 94208 --a------ C:\WINDOWS\exqb.exe
2008-05-15 13:42:24 0 d-------- C:\Program Files\MSXML 6.0
2008-05-15 13:14:52 262144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-05-15 13:14:48 0 d---s---- C:\Documents and Settings\ENET\Cookies
2008-05-15 13:14:48 0 dr-h----- C:\Documents and Settings\ENET\Application Data
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Sun
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Sonic
2008-05-15 13:14:48 0 d---s---- C:\Documents and Settings\ENET\Application Data\Microsoft
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Intel
2008-05-15 13:14:48 0 d-------- C:\Documents and Settings\ENET\Application Data\Identities
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\Templates
2008-05-15 13:14:47 0 dr------- C:\Documents and Settings\ENET\Start Menu
2008-05-15 13:14:47 0 dr-h----- C:\Documents and Settings\ENET\SendTo
2008-05-15 13:14:47 0 dr-h----- C:\Documents and Settings\ENET\Recent
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\PrintHood
2008-05-15 13:14:47 1835008 --ah----- C:\Documents and Settings\ENET\NTUSER.DAT
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\NetHood
2008-05-15 13:14:47 0 dr------- C:\Documents and Settings\ENET\My Documents
2008-05-15 13:14:47 0 d--h----- C:\Documents and Settings\ENET\Local Settings
2008-05-15 13:14:47 0 dr------- C:\Documents and Settings\ENET\Favorites
2008-05-15 13:14:47 0 d-------- C:\Documents and Settings\ENET\Desktop
2008-05-15 12:55:31 135168 --a------ C:\WINDOWS\system32\kaseyasp.dll <Not Verified; Kaseya; Kaseya Agent Internet Access Protection Extension>
2008-05-15 12:55:26 0 d-------- C:\Program Files\Kaseya
2008-04-24 13:59:35 0 d-------- C:\Documents and Settings\JEbanks\Application Data\Help
2008-04-21 09:40:21 0 d-------- C:\O'Connor's Forms


-- Find3M Report ---------------------------------------------------------------

2008-05-15 12:55:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 14:31:24 23528 --a------ C:\Documents and Settings\JEbanks\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11CB2C8B-00BD-459D-B40D-420845E2BE2D}]
C:\WINDOWS\system32\wvUoNDtQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
03/27/2008 08:43 AM 247296 --a------ C:\Program Files\CenterLock\CenterLock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}]
05/15/2008 05:01 PM 29312 --a------ C:\WINDOWS\system32\wvUkJBrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354141F1-5C82-4395-B179-3AE6A12C33ED}]
C:\WINDOWS\system32\tuvWpqPH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BF38C7-4E65-4D8D-ABB0-EBE169098AFC}]
C:\WINDOWS\system32\yATNeDwW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [01/24/2008 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\udaterui.exe" [03/14/2008 04:00 AM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 08:08 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe" [09/25/2006 07:52 PM]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [01/27/2005 05:00 AM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [09/01/2005 06:24 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [09/13/2004 05:33 PM]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [10/18/2007 12:08 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [03/07/2008 01:12 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 06:00 AM]
"MRT"="C:\WINDOWS\system32\MRT.exe" [05/09/2008 04:35 PM]
"c4192508"="C:\WINDOWS\system32\tmaaeyeb.dll" [05/19/2008 09:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA3867"=command /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
"SpybotDeletingC716"=cmd /c del "C:\WINDOWS\system32\tuvWpqPH.dll_old"
"SpybotDeletingA7815"=command /c del "C:\WINDOWS\system32\wvUoNDtQ.dll_old"
"SpybotDeletingC8938"=cmd /c del "C:\WINDOWS\system32\wvUoNDtQ.dll_old"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [12/14/2006 5:17:12 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}"= C:\WINDOWS\system32\wvUkJBrO.dll [05/15/2008 05:01 PM 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {37FE3901-1297-4E81-BC2B-3EE2AB61DD1E} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 05:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 05/19/2008 08:27 AM 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 05/19/2008 08:27 AM 12288 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUkJBrO]
wvUkJBrO.dll 05/15/2008 05:01 PM 29312 C:\WINDOWS\system32\wvUkJBrO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\wvUoNDtQ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Emt64.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yhP87.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup





-- End of Deckard's System Scanner: finished at 2008-05-19 09:54:39 ------------

Edited by SifuMike, 19 May 2008 - 06:05 PM.
inserted ComboFix log


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 19 May 2008 - 11:40 AM

Hi cferreira,


I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus, Windows Defender and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT  It is a simple procedure that will only take a few moments of your time.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. Please do not post a Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cferreira

cferreira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 May 2008 - 12:33 PM

I had Winzip unchecked, all other programs were started. Running Combofix now, will post log once complete.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 19 May 2008 - 02:04 PM

Be sure to install Recovery Console (if it is not already installed), as that is our saftey net.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 cferreira

cferreira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 May 2008 - 04:09 PM

Requested log after ComboFix ran.

ComboFix 08-05-15.3 - jebanks 2008-05-19 14:32:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1469 [GMT -5:00]
Running from: C:\Documents and Settings\JEbanks\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\beyeaamt.ini
C:\WINDOWS\system32\drivers\Emt64.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\yhP87.sys
C:\WINDOWS\system32\efxtedrs.ini
C:\WINDOWS\system32\fpxkabal.ini
C:\WINDOWS\system32\HPqpWvut.ini
C:\WINDOWS\system32\HPqpWvut.ini2
C:\WINDOWS\system32\iicxmvqo.ini
C:\WINDOWS\system32\iwdcjgto.ini
C:\WINDOWS\system32\kTBHPqru.ini
C:\WINDOWS\system32\kTBHPqru.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qaahrwva.ini
C:\WINDOWS\system32\QtDNoUvw.ini
C:\WINDOWS\system32\QtDNoUvw.ini2
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\urqPHBTk.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\WwDeNTAy.ini
C:\WINDOWS\system32\WwDeNTAy.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EMT64
-------\Legacy_YHP87
-------\Service_Emt64
-------\Service_yhP87


((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 16:00 . 2008-05-19 16:00 294 ---hs---- C:\WINDOWS\system32\fpxkabal.ini
2008-05-19 15:58 . 2008-05-19 15:58 29,056 --a------ C:\WINDOWS\system32\drivers\hoV86.sys
2008-05-19 15:58 . 2008-05-19 15:58 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dl_
2008-05-19 10:15 . 2008-05-19 10:15 91,264 --a------ C:\WINDOWS\system32\labakxpf.dll
2008-05-19 09:23 . 2008-05-19 09:23 <DIR> d-------- C:\VundoFix Backups
2008-05-18 10:02 . 2008-05-18 10:02 180,224 --a------ C:\temp\kPtchMgt2.dll
2008-05-18 10:00 . 2008-05-19 10:35 <DIR> d-------- C:\temp\odt
2008-05-18 10:00 . 2008-05-18 10:00 2,223,578 --a------ C:\temp\odt.exe
2008-05-17 22:18 . 2008-05-17 22:18 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 21:15 . 2008-05-17 21:21 3,388 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-17 20:44 . 2008-05-17 20:44 <DIR> d-------- C:\Deckard
2008-05-17 15:22 . 2008-05-17 15:22 167,936 --a------ C:\temp\KRlyCLis.exe
2008-05-17 15:14 . 2008-05-17 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 13:53 . 2008-05-17 13:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 13:40 . 2008-05-17 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-17 10:17 . 2008-05-17 10:17 91,264 --a------ C:\WINDOWS\system32\otgjcdwi.dll
2008-05-17 10:10 . 2008-05-17 10:10 91,264 --a------ C:\WINDOWS\system32\avwrhaaq.dll
2008-05-16 13:12 . 2008-05-16 13:12 <DIR> d-------- C:\Program Files\RealVNC
2008-05-16 11:35 . 2008-05-19 10:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 11:35 . 2008-05-19 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:18 . 2008-05-16 11:18 <DIR> d-------- C:\Program Files\CenterLock
2008-05-16 10:57 . 2008-05-16 13:19 <DIR> d-------- C:\Documents and Settings\JEbanks\Application Data\TmpRecentIcons
2008-05-16 10:22 . 2008-05-19 10:34 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-15 17:07 . 2008-05-15 17:07 91,264 --a------ C:\WINDOWS\system32\oqvmxcii.dll
2008-05-15 17:01 . 2008-05-15 17:01 29,312 --a------ C:\WINDOWS\system32\wvUkJBrO.dll
2008-05-15 17:00 . 2008-05-15 10:41 94,208 --a------ C:\WINDOWS\exqb.exe
2008-05-15 13:42 . 2008-05-15 13:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-15 13:14 . 2005-12-15 22:29 <DIR> d-------- C:\Documents and Settings\ENET\Application Data\Sonic
2008-05-15 13:14 . 2005-12-15 22:25 <DIR> d-------- C:\Documents and Settings\ENET\Application Data\Intel
2008-05-15 13:14 . 2008-05-15 13:14 <DIR> d-------- C:\Documents and Settings\ENET
2008-05-15 13:14 . 2008-05-16 13:08 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-05-15 13:14 . 2008-05-19 14:32 1,024 --ah----- C:\Documents and Settings\ENET\ntuser.dat.LOG
2008-05-15 12:55 . 2008-05-15 12:55 <DIR> d-------- C:\Program Files\Kaseya
2008-05-15 12:55 . 2008-03-07 13:12 135,168 --a------ C:\WINDOWS\system32\kaseyasp.dll
2008-05-15 12:55 . 2008-03-07 13:12 20,920 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2008-05-15 12:55 . 2008-03-07 13:12 13,496 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2008-04-21 09:40 . 2008-04-21 09:40 <DIR> d-------- C:\O'Connor's Forms

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 17:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 19:31 23,528 ----a-w C:\Documents and Settings\JEbanks\Application Data\GDIPFONTCACHEV1.DAT
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11CB2C8B-00BD-459D-B40D-420845E2BE2D}]
C:\WINDOWS\system32\wvUoNDtQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
2008-03-27 08:43 247296 --a------ C:\Program Files\CenterLock\CenterLock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}]
2008-05-15 17:01 29312 --a------ C:\WINDOWS\system32\wvUkJBrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354141F1-5C82-4395-B179-3AE6A12C33ED}]
C:\WINDOWS\system32\tuvWpqPH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BF38C7-4E65-4D8D-ABB0-EBE169098AFC}]
C:\WINDOWS\system32\yATNeDwW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E738884B-E75D-4AC3-B03F-62F7E7DD853E}"= "C:\WINDOWS\pvnsmfor.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{e738884b-e75d-4ac3-b03f-62f7e7dd853e}]
[HKEY_CLASSES_ROOT\pvnsmfor.1]
[HKEY_CLASSES_ROOT\TypeLib\{28579586-9751-48D9-9F9B-BC3714D9F175}]
[HKEY_CLASSES_ROOT\pvnsmfor]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 04:00 136512]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"HostManager"="C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 05:00 98304]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33 155648]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 12:08 33280]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2008-03-07 13:12 229376]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"c4192508"="C:\WINDOWS\system32\labakxpf.dll" [2008-05-19 10:15 91264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-12-14 17:17:12 1212416]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-25 12:29:45 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}"= C:\WINDOWS\system32\wvUkJBrO.dll [2008-05-15 17:01 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {37FE3901-1297-4E81-BC2B-3EE2AB61DD1E} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-19 10:34 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUkJBrO]
wvUkJBrO.dll 2008-05-15 17:01 29312 C:\WINDOWS\system32\wvUkJBrO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hoV86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 hoV86;hoV86;C:\WINDOWS\system32\Drivers\hoV86.sys [2008-05-19 15:58]
R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s []
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 17:46]
R3 swivsp;AC8xx Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\swivspnt.sys [2006-10-12 09:49]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-10-18 12:08]
S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" []
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 10:59]
S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 11:00]
S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 11:00]
S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 11:01]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 11:01]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-10-20 10:28]

*Newly Created Service* - HOV86
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 17:27:11 C:\WINDOWS\Tasks\backup.job"
- C:\Documents and Settings\JEbanks\My Documents\backup.bat
"2008-05-19 19:37:36 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 15:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\fpxkabal.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\wvUkJBrO.dll
-> C:\WINDOWS\system32\WinCtrl32.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\labakxpf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Verizon Wireless\venturi\Client\VentC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\temp\KRlyCLis.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-19 16:04:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 21:04:07

Pre-Run: 65,436,680,192 bytes free
Post-Run: 65,407,631,360 bytes free

231 --- E O F --- 2008-05-18 03:19:00

Attached Files

  • Attached File  log.txt   14.14KB   31 downloads

Edited by SifuMike, 19 May 2008 - 06:07 PM.
insert combofix log


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 19 May 2008 - 06:03 PM

Hi cferreira,

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\temp\kPtchMgt2.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\temp\odt.exe
C:\WINDOWS\exqb.exe



Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

***************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\system32\fpxkabal.ini
C:\WINDOWS\system32\drivers\hoV86.sys
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\labakxpf.dll
C:\WINDOWS\system32\otgjcdwi.dll
C:\WINDOWS\system32\avwrhaaq.dll
C:\WINDOWS\system32\oqvmxcii.dll
C:\WINDOWS\system32\wvUkJBrO.dll

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11CB2C8B-00BD-459D-B40D-420845E2BE2D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{354141F1-5C82-4395-B179-3AE6A12C33ED}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BF38C7-4E65-4D8D-ABB0-EBE169098AFC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E738884B-E75D-4AC3-B03F-62F7E7DD853E}"=-  
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}"=- 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"=-  
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUkJBrO]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c4192508"=-
[-HKEY_CLASSES_ROOT\clsid\{e738884b-e75d-4ac3-b03f-62f7e7dd853e}] 
[-HKEY_CLASSES_ROOT\pvnsmfor.1]
[-HKEY_CLASSES_ROOT\TypeLib\{28579586-9751-48D9-9F9B-BC3714D9F175}]
[-HKEY_CLASSES_ROOT\pvnsmfor]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hoV86.sys]
@=-

Driver:: 
hoV86


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please do not attach the ComboFix and Hijackthis logs, as that makes them hard to read.

Edited by SifuMike, 19 May 2008 - 06:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 cferreira

cferreira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 May 2008 - 08:26 PM

Requested logs beginning with the logs of the scanned files.

Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 -
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 -
BitDefender 7.2 2008.05.19 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV 0.92.1 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 -
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 -
Fortinet 3.14.0.0 2008.05.20 -
GData 2.0.7306.1023 2008.05.20 -
Ikarus T3.1.1.26.0 2008.05.20 -
Kaspersky 7.0.0.125 2008.05.20 -
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.20 -
Prevx1 V2 2008.05.20 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.20 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.20 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 -
Additional information
File size: 180224 bytes
MD5...: 6075a4c60d61a2faa7edc91df9139291
SHA1..: 54526d2be74160400fb1e61d439f6f65560d0e75
SHA256: 7cf7462aefa749f78d04beda5c38d0805db6a4bd61c7933b7d01cedf20c1a6c6
SHA512: 67e774c44e5a1e116e2ae60dbac27c7a36fbbd05788553268b5f4e932ca3d904
abbe2754f5c60cbb0b4572c80686ef8069d1cb491339ff37230870f71a6193c5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001162a
timedatestamp.....: 0x47be0ba4 (Thu Feb 21 23:39:16 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1bd15 0x1c000 6.62 af5257ff7e2ea58b1218ba26c5c2619a
.rdata 0x1d000 0x5421 0x6000 4.99 2c1b0e75f7cc8f57673d7ff28befce36
.data 0x23000 0x5b68 0x5000 1.75 bdde0051c8b3b87e588422d4ade44037
.rsrc 0x29000 0x4b0 0x1000 1.23 b1a102893b54e1fe7b70accfc7455c58
.reloc 0x2a000 0x2354 0x3000 4.13 f83f9f590cac96c984f5fd96386e25e8

( 5 imports )
> KERNEL32.dll: GetLocaleInfoA, GetThreadLocale, GetVersionExA, RaiseException, InitializeCriticalSection, DeleteCriticalSection, lstrcmpiA, lstrlenA, GetSystemDefaultUILanguage, CompareStringA, CompareStringW, ReadFile, GetFileSize, Sleep, GetACP, LockResource, LoadResource, FindResourceA, FindResourceExA, GetProcAddress, GetModuleHandleA, GetSystemInfo, SetLastError, LoadLibraryA, FormatMessageA, GetFullPathNameA, SetFilePointer, GetProcessHeap, LocalFree, SetEnvironmentVariableA, InterlockedExchange, CreateFileA, WriteFile, CloseHandle, MultiByteToWideChar, WideCharToMultiByte, SizeofResource, GetLastError, FlushFileBuffers, SetStdHandle, IsBadCodePtr, IsBadReadPtr, GetStringTypeW, GetStringTypeA, UnhandledExceptionFilter, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwind, ExitProcess, HeapAlloc, HeapFree, VirtualProtect, VirtualAlloc, VirtualQuery, GetTimeFormatA, GetDateFormatA, GetCurrentThreadId, GetCommandLineA, GetOEMCP, GetCPInfo, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, HeapCreate, VirtualFree, HeapReAlloc, IsBadWritePtr, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, HeapSize, LCMapStringA, LCMapStringW, GetTimeZoneInformation, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings
> USER32.dll: GetSystemMetrics
> ADVAPI32.dll: RegQueryInfoKeyA, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
> ole32.dll: CoUninitialize, CoInitializeEx, CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -

( 1 exports )
KaseyaDllTaskCmd


File odt.exe received on 05.20.2008 02:53:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 -
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 -
BitDefender 7.2 2008.05.19 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV None 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 -
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 -
Fortinet 3.14.0.0 2008.05.20 -
GData 2.0.7306.1023 2008.05.20 -
Ikarus T3.1.1.26.0 2008.05.20 -
Kaspersky 7.0.0.125 2008.05.20 -
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.20 -
Prevx1 V2 2008.05.20 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.20 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.20 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Additional information
File size: 2223578 bytes
MD5...: 721722b08ecaf449fb86c100e6e236b4
SHA1..: 01944e185e6507d503ce620e4f0a4b7e1a16ff7b
SHA256: abdaa703be6a198c7c92dadd650acc60dccd259f338026b43d452e1fdbc85498
SHA512: c37d38db6cad30d2e712ee9d7ce7ef5fa40b29fa09c7adc0e107e0428b58f14d
ab661ca2b962d6cb2e74e5f7eee6d46c758e21e4236dda0492e5067b8726390b
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x408af7
timedatestamp.....: 0x3d4a2e3e (Fri Aug 02 07:01:18 2002)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12436 0x13000 6.54 5c5060bef67ebb81f05c17a35ec12872
.rdata 0x14000 0x19b2 0x2000 4.87 1fa22713014a16f333a15283f667d28b
.data 0x16000 0x6e64 0x4000 1.35 a208c1abc7e4034fdfe9e0052f48914b
.rsrc 0x1d000 0x2caa8 0x2d000 7.02 5fc3897e9e71b06106eb01a650e8e6ee

( 7 imports )
> KERNEL32.dll: GetProcAddress, FormatMessageA, DeleteFileA, MulDiv, IsDBCSLeadByte, GetExitCodeProcess, CreateProcessA, GetTempFileNameA, GetSystemDefaultLCID, WaitForSingleObject, CompareStringA, Sleep, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, FreeLibrary, RemoveDirectoryA, FindNextFileA, WritePrivateProfileSectionA, GetStartupInfoA, WriteFile, ReadFile, SetFileAttributesA, LocalFree, LocalAlloc, LockResource, LoadResource, FindResourceA, SizeofResource, GetModuleHandleA, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, MultiByteToWideChar, lstrcmpiA, GetDiskFreeSpaceA, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, ExitProcess, CreateFileA, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, CreateDirectoryA, SetFilePointer, GetFileSize, FindClose, GetLastError, FindFirstFileA, lstrlenA, GetFileAttributesA, GetPrivateProfileStringA, GetSystemDirectoryA, GetWindowsDirectoryA, lstrcatA, GetModuleFileNameA, GetTempPathA, lstrcpyA, GetPrivateProfileSectionA, LoadLibraryA, MoveFileExA, WritePrivateProfileStringA, GetShortPathNameA, FlushFileBuffers, IsBadCodePtr, CloseHandle, SetStdHandle, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, WideCharToMultiByte, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetStringTypeW, GetStringTypeA, GetOEMCP, GetACP, GetCPInfo, IsBadWritePtr, HeapReAlloc, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetVersionExA, GetEnvironmentVariableA, GetVersion, GetCommandLineA, RtlUnwind, IsBadReadPtr
> USER32.dll: SetFocus, PostMessageA, GetDlgItem, SendDlgItemMessageA, GetParent, GetDC, LoadImageA, MessageBoxA, wsprintfA, CheckRadioButton, EnableWindow, IsDlgButtonChecked, GetDlgItemTextA, CheckDlgButton, SetDlgItemTextA, ReleaseDC, GetWindowLongA, SetWindowTextA, CharNextA, GetDesktopWindow, GetWindowTextA, GetWindow, DestroyWindow, CreateDialogParamA, GetSysColor, GetSysColorBrush, FillRect, BeginPaint, DrawTextA, EndPaint, GetClientRect, ScreenToClient, MoveWindow, SetParent, MapDialogRect, GetNextDlgTabItem, GetWindowRect, CreateDialogIndirectParamA, IsWindow, InvalidateRect, IsWindowEnabled, ShowWindow, UpdateWindow, IsDialogMessageA, SetWindowPos, GetActiveWindow, SetActiveWindow, SetWindowLongA, LoadStringA, LoadIconA, DispatchMessageA, SendMessageA, TranslateMessage, PeekMessageA
> GDI32.dll: CreateFontIndirectA, RealizePalette, SelectPalette, CreatePalette, GetObjectA, GetStockObject, CreateDIBitmap, GetTextExtentPointA, SelectObject, EnumFontFamiliesExA, DeleteDC, BitBlt, TextOutA, SetBkMode, SetBkColor, CreateCompatibleDC, CreateSolidBrush, SetTextColor, DeleteObject, GetDeviceCaps
> ADVAPI32.dll: RegCloseKey, RegQueryValueExA, RegOpenKeyExA
> SHELL32.dll: ShellExecuteA, SHBrowseForFolderA, SHGetPathFromIDListA, SHGetMalloc
> LZ32.dll: LZOpenFileA, LZCopy, LZClose
> COMCTL32.dll: -

( 0 exports )

packers (F-Prot): CAB



File exqb.exe received on 05.20.2008 02:57:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/32 (37.5%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.5.20.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.19 TR/Vapsup.ffw
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 -
AVG 7.5.0.516 2008.05.19 Downloader.Zlob.XDK
BitDefender 7.2 2008.05.19 -
CAT-QuickHeal 9.50 2008.05.19 Trojan.Vapsup.ffw
ClamAV 0.92.1 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 Trojan.Popuper.5992
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 Trojan.Win32.Vapsup.ffw
Fortinet 3.14.0.0 2008.05.20 W32/Vapsup.FFW!tr
GData 2.0.7306.1023 2008.05.20 Trojan.Win32.Vapsup.ffw
Ikarus T3.1.1.26.0 2008.05.20 Virus.Trojan.Win32.Vapsup.ffw
Kaspersky 7.0.0.125 2008.05.20 Trojan.Win32.Vapsup.ffw
McAfee 5298 2008.05.19 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.20 Adware/VapSup
Prevx1 V2 2008.05.20 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.20 -
Sunbelt 3.0.1123.1 2008.05.17 Adware.NetAdware.Gen
Symantec 10 2008.05.20 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Vapsup.ffw
Additional information
File size: 94208 bytes
MD5...: d464185fd3c55c03850c8baad0be5660
SHA1..: 9ad5d2080da45fa35a9aabdcf14ef76f5bfeb9e1
SHA256: 1699b6691444872bfd190e2f63154019cc248a5e188b1f28119d3605cf26d471
SHA512: 1bf0656df8317c81bef22ebc925ff803a8010ee32553fe7a3b0ab22554132c8e
8402dffdc57a467dbbbb24eaadeef4de6c791e7115084ccb7f673344d2bd547f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4059e6
timedatestamp.....: 0x482c44c5 (Thu May 15 14:12:21 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xdcc2 0xe000 6.58 a2cff36fd7b0f1afdf2cf41a7f4964c0
.rdata 0xf000 0x41b4 0x5000 4.65 8212aac5ce16cbd742f69af64c07c78b
.data 0x14000 0x2e04 0x2000 1.52 dd6aa7735523a1599e28c9d3b4426313
.rsrc 0x17000 0xb0 0x1000 3.06 c67885160d1d4da2f4a5f0d18956abe6

( 3 imports )
> KERNEL32.dll: LoadLibraryW, SetLastError, CloseHandle, GetLastError, GetProcAddress, OpenProcess, FreeLibrary, GetCurrentProcessId, MultiByteToWideChar, TerminateProcess, RaiseException, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, HeapFree, GetCommandLineA, GetVersionExA, HeapAlloc, GetProcessHeap, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, Sleep, HeapSize, ExitProcess, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, DeleteCriticalSection, GetCPInfo, GetACP, GetOEMCP, LCMapStringA, WideCharToMultiByte, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, WriteFile, GetModuleFileNameA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, LoadLibraryA, InitializeCriticalSection, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA
> ADVAPI32.dll: RegSetValueExW
> SHLWAPI.dll: StrToIntW

( 0 exports )




HIJACK THIS LOG++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23, on 2008-05-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\temp\KRlyCLis.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CenterLock module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\CenterLock\CenterLock.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw6e\TMIETB.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135268256531
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://terminal.enetsolutions.net/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://terminal.esclawyers.com/tsweb/msrdp.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.enetsolutions.net/inc/kaxRemote.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pm.webex.com/client/v_mywebex-t20/s...ort/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O17 - HKLM\Software\..\Telephony: DomainName = ESCLAWYERS.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O20 - Winlogon Notify: CLSID - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13084 bytes


COMBOFIX LOG+++++++++++++++++++++++++++++++++

ComboFix 08-05-15.3 - jebanks 2008-05-19 20:08:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT -5:00]
Running from: C:\Documents and Settings\JEbanks\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JEbanks\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\avwrhaaq.dll
C:\WINDOWS\system32\drivers\hoV86.sys
C:\WINDOWS\system32\fpxkabal.ini
C:\WINDOWS\system32\labakxpf.dll
C:\WINDOWS\system32\oqvmxcii.dll
C:\WINDOWS\system32\otgjcdwi.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\wvUkJBrO.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\avwrhaaq.dll
C:\WINDOWS\system32\drivers\hoV86.sys
C:\WINDOWS\system32\eiprhkuy.ini
C:\WINDOWS\system32\fpxkabal.ini
C:\WINDOWS\system32\geBspolm.dll
C:\WINDOWS\system32\labakxpf.dll
C:\WINDOWS\system32\mlopsBeg.ini
C:\WINDOWS\system32\mlopsBeg.ini2
C:\WINDOWS\system32\oqvmxcii.dll
C:\WINDOWS\system32\otgjcdwi.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\wvUkJBrO.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HOV86
-------\Service_hoV86


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-19 20:16 . 2008-05-19 20:16 29,056 --a------ C:\WINDOWS\system32\drivers\ckR75.sys
2008-05-19 17:27 . 2008-05-19 17:27 91,264 --a------ C:\WINDOWS\system32\yukhrpie.dll
2008-05-19 16:03 . 2008-05-19 16:04 85,856 --a------ C:\WINDOWS\system32\pmnlkKAR.dll
2008-05-18 10:02 . 2008-05-18 10:02 180,224 --a------ C:\temp\kPtchMgt2.dll
2008-05-18 10:00 . 2008-05-19 10:35 <DIR> d-------- C:\temp\odt
2008-05-18 10:00 . 2008-05-18 10:00 2,223,578 --a------ C:\temp\odt.exe
2008-05-17 22:18 . 2008-05-17 22:18 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 21:15 . 2008-05-17 21:21 3,388 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-17 20:44 . 2008-05-17 20:44 <DIR> d-------- C:\Deckard
2008-05-17 15:22 . 2008-05-17 15:22 167,936 --a------ C:\temp\KRlyCLis.exe
2008-05-17 15:14 . 2008-05-17 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 13:53 . 2008-05-17 13:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 13:40 . 2008-05-17 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-16 13:12 . 2008-05-16 13:12 <DIR> d-------- C:\Program Files\RealVNC
2008-05-16 11:35 . 2008-05-19 10:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 11:35 . 2008-05-19 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 11:18 . 2008-05-16 11:18 <DIR> d-------- C:\Program Files\CenterLock
2008-05-16 10:57 . 2008-05-16 13:19 <DIR> d-------- C:\Documents and Settings\JEbanks\Application Data\TmpRecentIcons
2008-05-16 10:22 . 2008-05-19 16:13 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-15 17:00 . 2008-05-15 10:41 94,208 --a------ C:\WINDOWS\exqb.exe
2008-05-15 13:42 . 2008-05-15 13:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-15 13:14 . 2005-12-15 22:29 <DIR> d-------- C:\Documents and Settings\ENET\Application Data\Sonic
2008-05-15 13:14 . 2005-12-15 22:25 <DIR> d-------- C:\Documents and Settings\ENET\Application Data\Intel
2008-05-15 13:14 . 2008-05-15 13:14 <DIR> d-------- C:\Documents and Settings\ENET
2008-05-15 13:14 . 2008-05-16 13:08 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-05-15 13:14 . 2008-05-19 18:31 1,024 --ah----- C:\Documents and Settings\ENET\ntuser.dat.LOG
2008-05-15 12:55 . 2008-05-15 12:55 <DIR> d-------- C:\Program Files\Kaseya
2008-05-15 12:55 . 2008-03-07 13:12 135,168 --a------ C:\WINDOWS\system32\kaseyasp.dll
2008-05-15 12:55 . 2008-03-07 13:12 20,920 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2008-05-15 12:55 . 2008-03-07 13:12 13,496 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys
2008-04-21 09:40 . 2008-04-21 09:40 <DIR> d-------- C:\O'Connor's Forms

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 17:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 19:31 23,528 ----a-w C:\Documents and Settings\JEbanks\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_16.03.31.86 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 19:39:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 01:14:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
2008-03-27 08:43 247296 --a------ C:\Program Files\CenterLock\CenterLock.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 04:00 136512]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"HostManager"="C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 05:00 98304]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33 155648]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 12:08 33280]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2008-03-07 13:12 229376]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-12-14 17:17:12 1212416]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-25 12:29:45 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-19 16:13 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ckR75.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hoV86.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ckR75;ckR75;C:\WINDOWS\system32\Drivers\ckR75.sys [2008-05-19 20:16]
R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s []
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 17:46]
R3 swivsp;AC8xx Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\swivspnt.sys [2006-10-12 09:49]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-10-18 12:08]
S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" []
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 10:59]
S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 11:00]
S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 11:00]
S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 11:01]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 11:01]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-10-20 10:28]

*Newly Created Service* - CKR75
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 17:27:11 C:\WINDOWS\Tasks\backup.job"
- C:\Documents and Settings\JEbanks\My Documents\backup.bat
"2008-05-20 01:13:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 20:16:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WinCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Verizon Wireless\venturi\Client\VentC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\temp\KRlyCLis.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-19 20:21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 01:21:38
ComboFix2.txt 2008-05-19 21:04:18

Pre-Run: 65,486,131,200 bytes free
Post-Run: 65,474,392,064 bytes free

208 --- E O F --- 2008-05-18 03:19:00

The kPtchMgt2.dll is from a program called Kaseya that we use for remote control and pushing down MS patches.


The

#10 cferreira

cferreira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 22 May 2008 - 06:04 AM

Bump....

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 22 May 2008 - 01:19 PM

DO NOT BUMP YOUR POST! That will only delay you getting a reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 26 May 2008 - 06:41 PM

Hi cferreira,

I apoligze for the delay in replying.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

File:: 
C:\WINDOWS\exqb.exe
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\yukhrpie.dll
C:\WINDOWS\system32\pmnlkKAR.dll
C:\WINDOWS\system32\drivers\ckR75.sys
C:\Program Files\CenterLock\CenterLock.dll
C:\WINDOWS\system32\tmp.reg

Folder:: 
C:\Program Files\CenterLock

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ckR75.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hoV86.sys]

Driver:: 
ckR75


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 cferreira

cferreira
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 29 May 2008 - 11:49 AM

Logs after scan.

ComboFix 08-05-29.1 - jebanks 2008-05-29 11:41:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1609 [GMT -5:00]
Running from: C:\Documents and Settings\JEbanks\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JEbanks\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\CenterLock\CenterLock.dll
C:\WINDOWS\exqb.exe
C:\WINDOWS\system32\drivers\ckR75.sys
C:\WINDOWS\system32\pmnlkKAR.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\yukhrpie.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\CenterLock
C:\Program Files\CenterLock\CenterLock.dll
C:\Program Files\CenterLock\uninstall.dat
C:\Program Files\CenterLock\Uninstall.exe
C:\WINDOWS\exqb.exe
C:\WINDOWS\system32\drivers\ckR75.sys
C:\WINDOWS\system32\pmnlkKAR.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CKR75
-------\Service_ckR75


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-25 22:14 . 2008-05-25 22:14 110,592 --a------ C:\temp\KLicense.exe
2008-05-20 22:48 . 2008-05-20 22:48 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-20 22:46 . 2008-05-20 22:47 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-18 10:02 . 2008-05-18 10:02 180,224 --a------ C:\temp\kPtchMgt2.dll
2008-05-18 10:00 . 2008-05-29 10:05 <DIR> d-------- C:\temp\odt
2008-05-18 10:00 . 2008-05-18 10:00 2,223,578 --a------ C:\temp\odt.exe
2008-05-17 22:18 . 2008-05-17 22:18 206 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-17 20:44 . 2008-05-17 20:44 <DIR> d-------- C:\Deckard
2008-05-17 15:22 . 2008-05-17 15:22 167,936 --a------ C:\temp\KRlyCLis.exe
2008-05-17 15:14 . 2008-05-17 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 13:53 . 2008-05-17 13:53 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-17 13:40 . 2008-05-17 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-16 13:12 . 2008-05-16 13:12 <DIR> d-------- C:\Program Files\RealVNC
2008-05-16 11:35 . 2008-05-19 10:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-16 11:35 . 2008-05-19 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 13:42 . 2008-05-15 13:42 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-15 13:14 . 2005-12-15 22:29 <DIR> d-------- C:\Documents and Settings\ENET\Application Data\Sonic
2008-05-15 13:14 . 2005-12-15 22:25 <DIR> d-------- C:\Documents and Settings\ENET\Application Data\Intel
2008-05-15 13:14 . 2008-05-15 13:14 <DIR> d-------- C:\Documents and Settings\ENET
2008-05-15 13:14 . 2008-05-16 13:08 262,144 --a------ C:\WINDOWS\system32\default_user_class.dat
2008-05-15 12:55 . 2008-05-15 12:55 <DIR> d-------- C:\Program Files\Kaseya
2008-05-15 12:55 . 2008-03-07 13:12 135,168 --a------ C:\WINDOWS\system32\kaseyasp.dll
2008-05-15 12:55 . 2008-03-07 13:12 20,920 --a------ C:\WINDOWS\system32\drivers\KaPFA.sys
2008-05-15 12:55 . 2008-03-07 13:12 13,496 --a------ C:\WINDOWS\system32\drivers\KaseyaHA.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 11:56 --------- d-----w C:\Program Files\Java
2008-05-18 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 17:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 19:31 23,528 ----a-w C:\Documents and Settings\JEbanks\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_16.03.31.86 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-04 14:05:26 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
- 2007-05-04 19:18:08 64,088 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-05-21 03:26:17 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2007-05-04 19:18:07 223,800 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-05-21 03:26:13 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
- 2008-05-19 19:39:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 16:45:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 13:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 13:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
- 2005-01-28 19:44:28 192,512 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2003-07-15 03:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-15 03:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-15 03:53:22 46,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\BLNMGRPS.DLL
+ 2003-07-15 03:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-15 03:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-07-15 03:41:44 13,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\FINDER.EXE
+ 2003-07-15 03:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-15 03:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-06-18 22:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-07-15 03:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2003-07-15 03:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-07-15 03:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-15 03:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-15 03:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2003-07-11 07:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2003-07-15 07:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-15 03:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-15 03:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-15 03:53:20 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL
+ 2003-07-15 03:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-15 03:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-15 03:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-06-18 22:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-06-19 21:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-07-15 03:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-15 04:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-15 03:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-15 03:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2007-05-04 19:18:07 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2003-07-15 08:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-15 03:44:34 102,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL
+ 2003-07-15 03:43:16 49,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL
+ 2003-05-09 02:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-15 03:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2003-07-21 16:46:38 390,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL
+ 2003-07-15 03:44:16 66,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\SENDTO.DLL
+ 2003-07-15 03:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2007-05-04 19:18:08 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2007-03-23 00:07:56 91,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\ADDRPARS.DLL
+ 2007-03-23 00:07:54 80,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\DLGSETP.DLL
+ 2007-04-19 18:53:52 137,568 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\ENVELOPE.DLL
+ 2007-04-19 18:53:52 127,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\IMPMAIL.DLL
+ 2007-04-19 18:54:04 183,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\MIMEDIR.DLL
+ 2007-06-18 22:16:32 12,259,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2007-05-31 18:43:46 7,613,280 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\OUTLLIB.DLL
+ 2007-04-19 18:53:44 106,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\OUTLMIME.DLL
+ 2007-05-31 18:42:14 200,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\OUTLOOK.EXE
+ 2007-04-19 18:53:56 149,856 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\OUTLPH.DLL
+ 2007-04-19 18:53:24 69,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\OUTLRPC.DLL
+ 2007-03-23 00:07:10 41,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\RECALL.DLL
+ 2007-03-23 00:07:54 78,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\RM.DLL
+ 2007-03-23 00:22:02 103,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\TRANSMGR.DLL
+ 2007-05-09 22:19:48 2,585,936 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.8173\VBE6.DLL
+ 2008-05-21 13:52:18 32,768 ----a-r C:\WINDOWS\Installer\{716E0306-8318-4364-8B8F-0CC4E9376BAC}\icon.exe
- 2007-09-17 18:19:44 167,936 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2008-05-21 03:56:15 167,936 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2007-09-17 18:19:44 2,560 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-05-21 03:56:15 2,560 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2007-09-17 18:19:44 34,304 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-05-21 03:56:14 34,304 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2007-09-17 18:19:44 8,192 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-05-21 03:56:15 8,192 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2007-09-17 18:19:44 3,584 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-05-21 03:56:15 3,584 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2007-09-17 18:19:44 114,688 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-05-21 03:56:15 114,688 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2007-09-17 18:19:44 16,384 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-05-21 03:56:15 16,384 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2007-09-17 18:19:44 30,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-05-21 03:56:15 30,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2007-09-17 18:19:44 22,528 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-05-21 03:56:15 22,528 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2007-09-17 18:19:44 45,056 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2008-05-21 03:56:14 45,056 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2007-09-17 18:19:44 90,112 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-05-21 03:56:14 90,112 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2007-09-17 18:33:56 12,288 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-05-28 16:26:19 12,288 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-09-17 18:33:56 135,168 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-05-28 16:26:19 135,168 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-09-17 18:33:56 11,264 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-05-28 16:26:19 11,264 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-09-17 18:33:56 27,136 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-05-28 16:26:19 27,136 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-09-17 18:33:56 4,096 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-05-28 16:26:19 4,096 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-09-17 18:33:56 794,624 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-05-28 16:26:19 794,624 ----a-r C:\WINDOWS\Installer\{90E00409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-01-28 19:44:28 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-19 02:47:08 7,168 ----a-w C:\WINDOWS\system32\asferror.dll
- 2005-01-28 19:44:28 484,352 ----a-w C:\WINDOWS\system32\Audiodev.dll
+ 2006-10-19 02:47:08 276,992 ----a-w C:\WINDOWS\system32\audiodev.dll
+ 2005-10-29 04:49:40 133,120 ------w C:\WINDOWS\system32\axaltocm.dll
+ 2005-10-28 21:40:16 96,792 ------w C:\WINDOWS\system32\basecsp.dll
+ 2005-10-29 04:49:40 25,600 ------w C:\WINDOWS\system32\bcsprsrc.dll
- 2004-08-04 12:00:00 286,208 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-19 02:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2005-01-28 19:44:28 164,864 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2005-01-28 19:44:28 8,192 -c--a-w C:\WINDOWS\system32\dllcache\asferror.dll
+ 2006-10-19 02:47:08 7,168 -c--a-w C:\WINDOWS\system32\dllcache\asferror.dll
- 2004-08-04 12:00:00 286,208 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
+ 2006-10-19 02:47:10 542,720 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
- 2005-01-28 19:44:28 164,864 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
+ 2006-10-19 02:47:10 229,376 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
- 2004-08-04 12:00:00 695,296 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
- 2005-01-28 19:44:28 6,656 -c--a-w C:\WINDOWS\system32\dllcache\laprxy.dll
+ 2006-10-19 02:47:14 11,264 -c--a-w C:\WINDOWS\system32\dllcache\LAPRXY.dll
- 2005-01-28 19:44:28 96,768 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2006-10-19 01:03:58 100,864 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
- 2004-08-04 12:00:00 310,272 -c--a-w C:\WINDOWS\system32\dllcache\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP43DMOD.dll
- 2004-08-04 12:00:00 384,512 -c--a-w C:\WINDOWS\system32\dllcache\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP4SDMOD.dll
- 2004-08-04 12:00:00 240,640 -c--a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MPG4DMOD.dll
- 2005-01-28 19:44:28 352,256 -c--a-w C:\WINDOWS\system32\dllcache\mpvis.dll
+ 2006-10-19 02:47:14 243,712 -c--a-w C:\WINDOWS\system32\dllcache\mpvis.dll
- 2004-08-04 12:00:00 259,072 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
- 2005-01-28 19:44:28 25,088 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
+ 2006-10-19 02:47:16 27,136 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
- 2005-01-28 19:44:28 173,568 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
+ 2006-10-19 02:47:16 175,616 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
- 2005-01-28 19:44:28 364,784 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-12-04 21:21:50 414,720 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2005-01-28 19:44:28 315,904 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
+ 2006-10-19 02:47:16 321,536 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
- 2005-01-28 19:44:28 221,184 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2006-10-19 02:47:18 211,456 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
- 2005-01-28 19:44:28 819,200 -c--a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
+ 2006-11-01 23:31:38 1,669,120 -c--a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
- 2005-01-28 19:44:28 192,512 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-27 03:10:26 317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
- 2005-01-28 19:44:28 396,528 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOD.dll
- 2005-01-28 19:44:28 716,288 -c--a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOE.dll
- 2007-10-27 23:40:06 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 22:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2005-01-28 19:44:28 28,160 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
+ 2006-10-19 02:47:18 33,792 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
- 2005-01-28 19:44:28 33,792 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
+ 2006-10-19 02:47:18 37,376 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
- 2005-01-28 19:44:28 189,440 -c--a-w C:\WINDOWS\system32\dllcache\wmerror.dll
+ 2006-10-19 02:47:20 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmerror.dll
- 2005-01-28 19:44:28 150,016 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
+ 2006-10-19 02:47:20 157,184 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
- 2005-01-28 19:44:28 1,027,072 -c--a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll
+ 2006-10-19 02:47:20 937,984 -c--a-w C:\WINDOWS\system32\dllcache\WMNetMgr.dll
- 2007-04-30 13:20:24 5,537,792 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
- 2005-01-28 19:44:28 135,168 -c--a-w C:\WINDOWS\system32\dllcache\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 -c--a-w C:\WINDOWS\system32\dllcache\wmpasf.dll
- 2005-01-28 19:44:28 77,824 -c--a-w C:\WINDOWS\system32\dllcache\wmpband.dll
+ 2006-10-19 02:47:20 96,256 -c--a-w C:\WINDOWS\system32\dllcache\wmpband.dll
- 2005-01-28 19:44:28 282,624 -c--a-w C:\WINDOWS\system32\dllcache\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 -c--a-w C:\WINDOWS\system32\dllcache\wmpdxm.dll
- 2005-01-28 19:44:28 73,728 -c--a-w C:\WINDOWS\system32\dllcache\wmplayer.exe
+ 2006-10-19 02:46:20 64,000 -c--a-w C:\WINDOWS\system32\dllcache\wmplayer.exe
- 2005-01-28 19:44:28 3,371,008 -c--a-w C:\WINDOWS\system32\dllcache\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 -c--a-w C:\WINDOWS\system32\dllcache\wmploc.dll
- 2005-01-28 19:44:28 86,016 -c--a-w C:\WINDOWS\system32\dllcache\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 -c--a-w C:\WINDOWS\system32\dllcache\wmpshell.dll
- 2005-01-28 19:44:28 774,904 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
- 2005-01-28 19:44:28 1,119,744 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
- 2005-01-28 19:44:28 413,944 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOD.dll
- 2005-01-28 19:44:28 940,544 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
- 2006-12-07 05:29:34 2,374,472 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-19 02:47:22 2,450,944 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2005-01-28 19:44:28 895,736 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2005-01-28 19:44:28 1,003,008 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-19 02:47:22 671,232 ------w C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll
- 2005-01-28 19:44:28 18,944 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-10-19 01:00:00 38,528 ----a-w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-09-28 23:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-29 00:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-10-19 01:00:46 249,856 ------w C:\WINDOWS\system32\drmupgds.exe
- 2004-08-04 12:00:00 695,296 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-19 02:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
- 2005-03-17 21:39:56 1,146,320 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-06-06 15:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2003-08-18 22:26:31 25,872 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2007-03-23 00:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2008-03-12 18:10:18 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
+ 2005-10-29 04:49:40 151,552 ------w C:\WINDOWS\system32\ifxcardm.dll
+ 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2005-01-28 19:44:28 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll
+ 2006-10-19 02:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
- 2007-10-11 20:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
- 2005-01-28 19:44:28 96,768 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-19 01:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
- 2004-03-22 22:17:05 24,816 ----a-w C:\WINDOWS\system32\mdimon.dll
+ 2007-04-09 18:23:54 28,040 ----a-w C:\WINDOWS\system32\mdimon.dll
+ 2006-10-19 02:47:14 212,992 ------w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-19 02:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2004-08-04 12:00:00 310,272 ----a-w C:\WINDOWS\system32\mp43dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-19 02:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2004-08-04 12:00:00 384,512 ----a-w C:\WINDOWS\system32\mp4sdmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-19 02:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2004-08-04 12:00:00 240,640 ----a-w C:\WINDOWS\system32\mpg4dmod.dll
+ 2006-10-19 02:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
+ 2006-10-02 20:28:42 312,128 ------w C:\WINDOWS\system32\msdelta.dll
- 2004-08-04 12:00:00 259,072 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-19 02:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2005-01-28 19:44:28 25,088 ----a-w C:\WINDOWS\system32\MsPMSNSv.dll
+ 2006-10-19 02:47:16 27,136 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
- 2005-01-28 19:44:28 173,568 ----a-w C:\WINDOWS\system32\MsPMSP.dll
+ 2006-10-19 02:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2005-01-28 19:44:28 364,784 ----a-w C:\WINDOWS\system32\MSSCP.dll
+ 2006-12-04 21:21:50 414,720 ----a-w C:\WINDOWS\system32\msscp.dll
- 2005-01-28 19:44:28 315,904 ----a-w C:\WINDOWS\system32\MSWMDM.dll
+ 2006-10-19 02:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
- 2006-12-04 19:37:58 1,317,648 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 20:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
- 2008-03-10 14:02:32 55,522 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-29 13:37:16 55,522 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-10 14:02:32 386,598 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-29 13:37:16 386,598 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2005-10-29 04:49:42 84,480 ------w C:\WINDOWS\system32\pintool.exe
+ 2006-10-19 02:47:18 284,160 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-19 02:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-19 02:47:18 166,912 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-19 02:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-19 02:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
- 2005-01-28 19:44:28 221,184 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-19 02:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
- 2007-10-08 20:46:18 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-05 20:42:10 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2001-08-18 03:36:16 16,896 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpcabout.dll
+ 2001-08-18 03:34:26 136,192 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCFONT.DLL
+ 2004-08-04 05:56:44 10,752 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCJRR.DLL
+ 2001-08-18 03:36:16 23,040 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\HPCJRUI.DLL
+ 2001-08-18 03:34:26 8,192 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpcstr.dll
- 2004-03-22 22:17:02 765,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
- 2004-03-22 22:17:08 42,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
- 2004-03-22 22:17:02 765,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2007-04-09 18:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
- 2004-03-22 22:17:08 42,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2007-04-09 18:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
- 2004-03-22 22:17:06 25,840 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
+ 2007-04-09 18:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
- 2006-09-06 21:43:16 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2007-10-05 20:42:10 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
- 2005-01-28 19:44:28 47,104 ----a-w C:\WINDOWS\system32\uwdf.exe
+ 2006-10-19 02:58:00 8,704 ----a-w C:\WINDOWS\system32\uwdf.exe
- 2005-01-28 19:44:28 15,872 ----a-w C:\WINDOWS\system32\wdfapi.dll
+ 2006-10-19 02:47:18 4,096 ----a-w C:\WINDOWS\system32\wdfapi.dll
- 2005-01-28 19:44:28 38,912 ----a-w C:\WINDOWS\system32\wdfmgr.exe
+ 2006-10-19 02:58:00 8,704 ----a-w C:\WINDOWS\system32\wdfmgr.exe
- 2005-01-28 19:44:28 396,528 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2006-10-19 02:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2005-01-28 19:44:28 716,288 ----a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2006-10-19 02:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
- 2007-10-27 23:40:06 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 22:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2005-01-28 19:44:28 28,160 ----a-w C:\WINDOWS\system32\WMDMLOG.dll
+ 2006-10-19 02:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2005-01-28 19:44:28 33,792 ----a-w C:\WINDOWS\system32\WMDMPS.dll
+ 2006-10-19 02:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
- 2005-01-28 19:44:28 335,872 ----a-w C:\WINDOWS\system32\WMDRMdev.dll
+ 2006-10-19 02:47:18 429,056 ----a-w C:\WINDOWS\system32\wmdrmdev.dll
- 2005-01-28 19:44:28 290,816 ----a-w C:\WINDOWS\system32\WMDRMNet.dll
+ 2006-10-19 02:47:20 348,672 ----a-w C:\WINDOWS\system32\wmdrmnet.dll
+ 2006-10-19 02:47:20 535,040 ------w C:\WINDOWS\system32\wmdrmsdk.dll
- 2005-01-28 19:44:28 189,440 ----a-w C:\WINDOWS\system32\wmerror.dll
+ 2006-10-19 02:47:20 227,328 ----a-w C:\WINDOWS\system32\wmerror.dll
- 2005-01-28 19:44:28 150,016 ----a-w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-19 02:47:20 157,184 ----a-w C:\WINDOWS\system32\wmidx.dll
- 2005-01-28 19:44:28 1,027,072 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2006-10-19 02:47:20 937,984 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
- 2007-04-30 13:20:24 5,537,792 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-12 04:51:12 10,834,944 ----a-w C:\WINDOWS\system32\wmp.dll
- 2005-01-28 19:44:28 135,168 ----a-w C:\WINDOWS\system32\wmpasf.dll
+ 2006-10-19 02:47:20 242,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
- 2005-01-28 19:44:28 282,624 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-19 02:47:20 314,880 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-19 02:47:20 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
- 2005-01-28 19:44:28 1,594,880 ----a-w C:\WINDOWS\system32\wmpencen.dll
+ 2006-10-19 02:47:20 1,661,440 ----a-w C:\WINDOWS\system32\wmpencen.dll
- 2005-01-28 19:44:28 3,371,008 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-19 02:47:20 8,231,936 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-19 02:47:20 613,376 ------w C:\WINDOWS\system32\wmpmde.dll
+ 2006-10-19 02:47:20 130,048 ------w C:\WINDOWS\system32\wmpps.dll
- 2005-01-28 19:44:28 86,016 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-19 02:47:20 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
- 2005-01-28 19:44:28 175,104 ----a-w C:\WINDOWS\system32\wmpsrcwp.dll
+ 2006-10-19 02:47:20 204,288 ----a-w C:\WINDOWS\system32\wmpsrcwp.dll
- 2005-01-28 19:44:28 774,904 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2005-01-28 19:44:28 1,119,744 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2005-01-28 19:44:28 413,944 ----a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2006-10-19 02:47:22 603,648 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
- 2005-01-28 19:44:28 940,544 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
+ 2006-10-19 02:47:22 1,329,152 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
- 2005-01-28 19:44:28 1,218,808 ----a-w C:\WINDOWS\system32\wmvadvd.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVD.dll
- 2005-01-28 19:44:28 1,512,448 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\WMVADVE.DLL
- 2006-12-07 05:29:34 2,374,472 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 02:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-19 02:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2005-01-28 19:44:28 895,736 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2005-01-28 19:44:28 1,003,008 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-19 02:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-19 02:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-19 02:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-19 02:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
- 2005-01-28 19:44:28 38,912 ----a-w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-19 02:47:22 629,760 ----a-w C:\WINDOWS\system32\wpd_ci.dll
- 2005-01-28 19:44:28 61,952 ----a-w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-19 02:47:22 35,840 ----a-w C:\WINDOWS\system32\wpdconns.dll
- 2005-01-28 19:44:28 114,176 ----a-w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-19 02:47:22 154,624 ----a-w C:\WINDOWS\system32\wpdmtp.dll
- 2005-01-28 19:44:28 66,560 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 02:47:22 63,488 ----a-w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-19 02:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-19 01:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-19 02:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-10-19 02:47:22 133,632 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
- 2005-01-28 19:44:28 331,264 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-10-19 02:47:22 356,352 ----a-w C:\WINDOWS\system32\wpdsp.dll
+ 2006-09-29 01:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-28 23:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-28 23:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-28 23:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-28 23:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 04:00 136512]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 20:08 813912]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 18:52 849280]
"HostManager"="C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe" [2006-09-25 19:52 50736]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 05:00 98304]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-09-01 18:24 684032]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 17:33 155648]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 12:08 33280]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 20:54 623992]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2008-03-07 13:12 229376]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-12-14 17:17:12 1212416]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-25 12:29:45 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLSID]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 KaseyaAgent;Kaseya Agent;"C:\Program Files\Kaseya\Agent\AgentMon.exe" -s []
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 17:46]
R3 KAPFA;KAPFA;C:\WINDOWS\system32\drivers\KAPFA.SYS [2008-03-07 13:12]
R3 swivsp;AC8xx Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\swivspnt.sys [2006-10-12 09:49]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-10-18 12:08]
S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" []
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 10:59]
S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 11:00]
S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 11:00]
S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 11:01]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 11:01]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-10-20 10:28]

*Newly Created Service* - KAPFA
.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 17:16:28 C:\WINDOWS\Tasks\backup.job"
- C:\Documents and Settings\JEbanks\My Documents\backup.bat
"2008-05-29 16:43:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 11:41:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Verizon Wireless\venturi\Client\VentC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-05-29 11:46:24 - machine was rebooted [jebanks]
ComboFix-quarantined-files.txt 2008-05-29 16:46:19
ComboFix2.txt 2008-05-20 01:21:45
ComboFix3.txt 2008-05-19 21:04:18

Pre-Run: 64,991,678,464 bytes free
Post-Run: 65,096,736,768 bytes free

539 --- E O F --- 2008-05-18 03:19:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\udaterui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw6e\TMIETB.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137426204\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135268256531
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://terminal.enetsolutions.net/msrdp.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://terminal.esclawyers.com/tsweb/msrdp.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.enetsolutions.net/inc/kaxRemote.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pm.webex.com/client/v_mywebex-t20/s...ort/ieatgpc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O17 - HKLM\Software\..\Telephony: DomainName = ESCLAWYERS.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ESCLAWYERS.COM
O20 - Winlogon Notify: CLSID - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12846 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 29 May 2008 - 12:43 PM

Hi cferreira,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Reboot your computer, post a fresh Hijackthis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:27 PM

Posted 05 June 2008 - 08:52 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users