Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virtumonde Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 elmongo2

elmongo2

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 01 July 2008 - 05:00 PM

I have a laptop and installed software I downloaded and it turned out to be infected with the Trojan Virtumonde. I tried to get rid of it with Anti-Malware but it's still giving me problems with windows explorer locking up. I wasn't able to post a Kaspersky log because of this but was able to squeeze out a Decker report....

Deckard's System Scanner v20071014.68
Run by El Mongo on 2008-07-01 16:52:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-01 16:56:34
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\csrss.exe
C:\Windows\System32\wininit.exe
C:\Windows\System32\winlogon.exe
C:\Windows\System32\services.exe
C:\Windows\System32\lsass.exe
C:\Windows\System32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SLsvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\AEstSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\DellTPad\ApntEx.exe
C:\Program Files\DellTPad\hidfind.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\System32\stacsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\explorer.exe
C:\Users\El Mongo\Desktop\dss.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...amp;ibd=2080313
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46424268-C2BE-424C-9147-DD9CC88459D9} - C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll
O2 - BHO: (no name) - {5420D744-7DDC-4F71-898E-DB8DEB381E74} - C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: (no name) - {D53F6E09-8F68-4C30-9AFE-B37CFB48286a} - C:\Windows\System32\sgsksfnn.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\AEstSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\System32\VundoFixSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 11873 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sprtsvc_dellsupportcenter (SupportSoft Sprocket Service (dellsupportcenter)) - c:\program files\dell support center\bin\sprtsvc.exe /service /p dellsupportcenter

S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-30 22:44:23 486 --a------ C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - El Mongo.job


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 15:44:46 0 d-------- C:\Windows\Sun
2008-07-01 10:15:22 0 d-------- C:\fsaua.data
2008-06-30 23:14:53 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-06-30 23:03:27 49664 --a------ C:\Windows\system32\sgsksfnn.dll
2008-06-30 22:59:06 0 d-------- C:\VundoFix Backups
2008-06-30 17:07:04 0 d-------- C:\Windows\pss
2008-06-30 16:06:32 49664 --a------ C:\Windows\system32\brqqywvd.dll
2008-06-30 16:05:22 81920 -----n--- C:\Windows\system32\yijshink.dll
2008-06-30 15:58:33 0 d-------- C:\Program Files\MagicISO
2008-06-29 21:26:58 0 d-------- C:\Program Files\Vuze
2008-06-22 22:13:48 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-18 22:21:10 0 d-------- C:\Users\All Users\Google Updater
2008-06-17 14:51:32 0 d-------- C:\Windows\system32\URTTEMP
2008-06-17 14:47:57 0 d-------- C:\Windows\San Andreas Mod Installer
2008-06-17 14:47:57 0 d-------- C:\Program Files\San Andreas Mod Installer
2008-06-16 23:31:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-12 23:17:55 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:17:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 16:37:21 0 d-------- C:\Program Files\Webroot
2008-06-04 16:37:21 0 d-------- C:\Program Files\Common Files\Webroot Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-01 16:40:46 0 d-------- C:\Users\El Mongo\AppData\Roaming\U3
2008-06-30 15:35:48 0 d-------- C:\Users\El Mongo\AppData\Roaming\Azureus
2008-06-26 23:14:50 0 d-------- C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-06-24 23:31:29 0 d-------- C:\Users\El Mongo\AppData\Roaming\App Launcher Gadget
2008-06-18 22:22:09 0 d-------- C:\Users\El Mongo\AppData\Roaming\Google
2008-06-18 22:21:43 0 d-------- C:\Program Files\Google
2008-06-16 23:31:50 0 d-------- C:\Program Files\Common Files
2008-06-16 23:08:37 0 d-------- C:\Users\El Mongo\AppData\Roaming\Adobe
2008-06-12 23:27:30 0 d-------- C:\Program Files\Windows Mail
2008-06-12 23:18:00 0 d-------- C:\Users\El Mongo\AppData\Roaming\Malwarebytes
2008-06-10 23:19:53 0 d-------- C:\Program Files\Winamp
2008-06-04 16:37:23 0 d-------- C:\Users\El Mongo\AppData\Roaming\Webroot
2008-06-01 22:01:51 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-01 22:01:50 0 d-------- C:\Program Files\Symantec
2008-05-30 07:36:02 0 d-------- C:\Users\El Mongo\AppData\Roaming\CyberLink
2008-05-29 20:59:51 98304 --a------ C:\Windows\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-26 18:23:46 0 d-------- C:\Program Files\Microsoft Games
2008-05-26 10:18:49 0 d-------- C:\Program Files\BitPim
2008-05-25 09:10:50 0 d-------- C:\Program Files\SpywareBlaster
2008-05-25 08:58:29 0 d-------- C:\Program Files\Spyware Doctor
2008-05-22 19:59:44 0 d-------- C:\Program Files\Registry Clean Expert
2008-05-22 19:52:01 0 d-------- C:\Program Files\TweakVI
2008-05-21 20:32:17 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-21 20:32:13 0 d-------- C:\Program Files\Logitech
2008-05-21 20:20:37 0 d-------- C:\Program Files\EA GAMES
2008-05-21 17:46:03 0 d-------- C:\Program Files\Rockstar Games
2008-05-21 17:46:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 17:43:05 0 d-------- C:\Program Files\LimeWire
2008-05-21 17:32:24 0 d-------- C:\Program Files\Microsoft Expression
2008-05-21 17:13:35 0 d-------- C:\Program Files\Microsoft Works
2008-05-21 17:13:23 0 d-------- C:\Program Files\MSBuild
2008-05-21 17:12:04 0 d-------- C:\Program Files\Microsoft.NET
2008-05-21 17:09:19 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-20 22:08:20 0 d-------- C:\Users\El Mongo\AppData\Roaming\Macromedia
2008-05-20 21:55:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-20 21:39:06 0 d-------- C:\Program Files\Lavasoft
2008-05-20 21:29:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 21:22:19 0 d-------- C:\Users\El Mongo\AppData\Roaming\PC Tools
2008-05-20 21:11:00 0 d-------- C:\Program Files\MSXML 4.0
2008-05-20 20:37:35 0 d-------- C:\Users\El Mongo\AppData\Roaming\ATI
2008-05-20 20:35:32 0 d-------- C:\Users\El Mongo\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}]
06/30/2008 04:11 PM 88576 --a------ C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}]
06/30/2008 04:11 PM 88576 --a------ C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}]
06/30/2008 11:03 PM 49664 --a------ C:\Windows\system32\sgsksfnn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [01/25/2008 12:42 AM]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [08/28/2007 12:51 AM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [11/12/2007 06:07 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"@"="" []
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 09:24 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 09:23 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 09:23 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/20/2008 09:25 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/20/2008 09:23 PM]

C:\Users\El Mongo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/13/2008 1:57:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\Windows\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
"C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\MediaDirect\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7113dcd-277a-11dd-9750-001d0949937f}]
AutoRun\command- G:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-01 16:57:41 ------------
People do dumb things. And I'm not talking about paying too much for car insurance either.

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:23 PM

Posted 01 July 2008 - 06:58 PM

Hi, elmongo2 :thumbsup:

Welcome.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]C:\fsaua.dataC:\Windows\system32\sgsksfnn.dllC:\Windows\system32\brqqywvd.dllC:\Windows\system32\yijshink.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvcEmptyTemp[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Re-Scan with DSS and post the contents of the main.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 01 July 2008 - 08:10 PM

Thank you for the quick reply! Here's my new logs.....

< [kill explorer]C:\fsaua.dataC:\Windows\system32\sgsksfnn.dllC:\Windows\system32\brqqywvd.dllC:\Windows\system32\yijshink.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvcEmptyTemp[start explorer] >
File/Folder [kill explorer]C:\fsaua.dataC:\Windows\system32\sgsksfnn.dllC:\Windows\system32\brqqywvd.dllC:\Windows\system32\yijshink.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvcEmptyTemp[start explorer] not found.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07012008_195632


Deckard's System Scanner v20071014.68
Run by El Mongo on 2008-07-01 20:07:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as El Mongo.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:05 PM, on 7/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchProtocolHost.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\El Mongo\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ELMONG~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46424268-C2BE-424C-9147-DD9CC88459D9} - C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll
O2 - BHO: (no name) - {5420D744-7DDC-4F71-898E-DB8DEB381E74} - C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: (no name) - {D53F6E09-8F68-4C30-9AFE-B37CFB48286a} - C:\Windows\system32\sgsksfnn.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11545 bytes

-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 19:59:39 0 d-------- C:\Program Files\Trend Micro
2008-07-01 15:44:46 0 d-------- C:\Windows\Sun
2008-07-01 10:15:22 0 d-------- C:\fsaua.data
2008-06-30 23:14:53 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-06-30 23:03:27 49664 --a------ C:\Windows\system32\sgsksfnn.dll
2008-06-30 22:59:06 0 d-------- C:\VundoFix Backups
2008-06-30 17:07:04 0 d-------- C:\Windows\pss
2008-06-30 16:06:32 49664 --a------ C:\Windows\system32\brqqywvd.dll
2008-06-30 16:05:22 81920 -----n--- C:\Windows\system32\yijshink.dll
2008-06-30 15:58:33 0 d-------- C:\Program Files\MagicISO
2008-06-29 21:26:58 0 d-------- C:\Program Files\Vuze
2008-06-22 22:13:48 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-18 22:21:10 0 d-------- C:\Users\All Users\Google Updater
2008-06-17 14:51:32 0 d-------- C:\Windows\system32\URTTEMP
2008-06-17 14:47:57 0 d-------- C:\Windows\San Andreas Mod Installer
2008-06-17 14:47:57 0 d-------- C:\Program Files\San Andreas Mod Installer
2008-06-16 23:31:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-12 23:17:55 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:17:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 16:37:21 0 d-------- C:\Program Files\Webroot
2008-06-04 16:37:21 0 d-------- C:\Program Files\Common Files\Webroot Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-01 20:06:46 0 d-------- C:\Users\El Mongo\AppData\Roaming\U3
2008-06-30 15:35:48 0 d-------- C:\Users\El Mongo\AppData\Roaming\Azureus
2008-06-26 23:14:50 0 d-------- C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-06-24 23:31:29 0 d-------- C:\Users\El Mongo\AppData\Roaming\App Launcher Gadget
2008-06-18 22:22:09 0 d-------- C:\Users\El Mongo\AppData\Roaming\Google
2008-06-18 22:21:43 0 d-------- C:\Program Files\Google
2008-06-16 23:31:50 0 d-------- C:\Program Files\Common Files
2008-06-16 23:08:37 0 d-------- C:\Users\El Mongo\AppData\Roaming\Adobe
2008-06-12 23:27:30 0 d-------- C:\Program Files\Windows Mail
2008-06-12 23:18:00 0 d-------- C:\Users\El Mongo\AppData\Roaming\Malwarebytes
2008-06-10 23:19:53 0 d-------- C:\Program Files\Winamp
2008-06-04 16:37:23 0 d-------- C:\Users\El Mongo\AppData\Roaming\Webroot
2008-06-01 22:01:51 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-01 22:01:50 0 d-------- C:\Program Files\Symantec
2008-05-30 07:36:02 0 d-------- C:\Users\El Mongo\AppData\Roaming\CyberLink
2008-05-29 20:59:51 98304 --a------ C:\Windows\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-26 18:23:46 0 d-------- C:\Program Files\Microsoft Games
2008-05-26 10:18:49 0 d-------- C:\Program Files\BitPim
2008-05-25 09:10:50 0 d-------- C:\Program Files\SpywareBlaster
2008-05-25 08:58:29 0 d-------- C:\Program Files\Spyware Doctor
2008-05-22 19:59:44 0 d-------- C:\Program Files\Registry Clean Expert
2008-05-22 19:52:01 0 d-------- C:\Program Files\TweakVI
2008-05-21 20:32:17 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-21 20:32:13 0 d-------- C:\Program Files\Logitech
2008-05-21 20:20:37 0 d-------- C:\Program Files\EA GAMES
2008-05-21 17:46:03 0 d-------- C:\Program Files\Rockstar Games
2008-05-21 17:46:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 17:43:05 0 d-------- C:\Program Files\LimeWire
2008-05-21 17:32:24 0 d-------- C:\Program Files\Microsoft Expression
2008-05-21 17:13:35 0 d-------- C:\Program Files\Microsoft Works
2008-05-21 17:13:23 0 d-------- C:\Program Files\MSBuild
2008-05-21 17:12:04 0 d-------- C:\Program Files\Microsoft.NET
2008-05-21 17:09:19 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-20 22:08:20 0 d-------- C:\Users\El Mongo\AppData\Roaming\Macromedia
2008-05-20 21:55:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-20 21:39:06 0 d-------- C:\Program Files\Lavasoft
2008-05-20 21:29:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 21:22:19 0 d-------- C:\Users\El Mongo\AppData\Roaming\PC Tools
2008-05-20 21:11:00 0 d-------- C:\Program Files\MSXML 4.0
2008-05-20 20:37:35 0 d-------- C:\Users\El Mongo\AppData\Roaming\ATI
2008-05-20 20:35:32 0 d-------- C:\Users\El Mongo\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}]
06/30/2008 04:11 PM 88576 --a------ C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}]
06/30/2008 04:11 PM 88576 --a------ C:\Users\El Mongo\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFCC0X0\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}]
06/30/2008 11:03 PM 49664 --a------ C:\Windows\system32\sgsksfnn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [01/25/2008 12:42 AM]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [08/28/2007 12:51 AM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [11/12/2007 06:07 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"@"="" []
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 09:24 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 09:23 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 09:23 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/20/2008 09:25 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/20/2008 09:23 PM]

C:\Users\El Mongo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/13/2008 1:57:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\Windows\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
"C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\MediaDirect\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7113dcd-277a-11dd-9750-001d0949937f}]
AutoRun\command- G:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-01 20:08:48 ------------
People do dumb things. And I'm not talking about paying too much for car insurance either.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:23 PM

Posted 02 July 2008 - 12:43 PM

Hi, elmongo2 :thumbsup:

The fix seems to have been inserted as a single line. As that it wont work:

< [kill explorer]C:\fsaua.dataC:\Windows\system32\sgsksfnn.dllC:\Windows\system32\brqqywvd.dllC:\Windows\system32\yijshink.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvcEmptyTemp[start explorer] >
File/Folder [kill explorer]C:\fsaua.dataC:\Windows\system32\sgsksfnn.dllC:\Windows\system32\brqqywvd.dllC:\Windows\system32\yijshink.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvcEmptyTemp[start explorer]


Open Notepad and select Format from the menu. Remove the check mark from Word Wrap. The fix should look as follows:

[kill explorer]C:\fsaua.dataC:\Windows\system32\sgsksfnn.dllC:\Windows\system32\brqqywvd.dllC:\Windows\system32\yijshink.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvcEmptyTemp[start explorer]

Each line separately.

Please repeat the fix and post the results.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 02 July 2008 - 12:52 PM

Oh OK I see. I'm gonna try it again and try to get it all reposted within the next half-hour.
People do dumb things. And I'm not talking about paying too much for car insurance either.

#6 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 02 July 2008 - 01:10 PM

All right I broke up the lines in OT Move It. Here's both logs again....

Explorer killed successfully
C:\fsaua.data\subscriptions moved successfully.
C:\fsaua.data\header moved successfully.
C:\fsaua.data moved successfully.
C:\Windows\system32\sgsksfnn.dll unregistered successfully.
C:\Windows\system32\sgsksfnn.dll moved successfully.
C:\Windows\system32\brqqywvd.dll unregistered successfully.
C:\Windows\system32\brqqywvd.dll moved successfully.
LoadLibrary failed for C:\Windows\system32\yijshink.dll
C:\Windows\system32\yijshink.dll NOT unregistered.
C:\Windows\system32\yijshink.dll moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46424268-C2BE-424C-9147-DD9CC88459D9}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5420D744-7DDC-4F71-898E-DB8DEB381E74}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D53F6E09-8F68-4C30-9AFE-B37CFB48286a}\\ deleted successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvc >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VundoFixSvc\\ deleted successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07022008_130350

Deckard's System Scanner v20071014.68
Run by El Mongo on 2008-07-02 13:07:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as El Mongo.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:10 PM, on 7/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\El Mongo\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ELMONG~1.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10864 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-01 19:59:39 0 d-------- C:\Program Files\Trend Micro
2008-07-01 15:44:46 0 d-------- C:\Windows\Sun
2008-06-30 23:14:53 24576 --a------ C:\Windows\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-06-30 22:59:06 0 d-------- C:\VundoFix Backups
2008-06-30 17:07:04 0 d-------- C:\Windows\pss
2008-06-30 15:58:33 0 d-------- C:\Program Files\MagicISO
2008-06-29 21:26:58 0 d-------- C:\Program Files\Vuze
2008-06-22 22:13:48 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-18 22:21:10 0 d-------- C:\Users\All Users\Google Updater
2008-06-17 14:51:32 0 d-------- C:\Windows\system32\URTTEMP
2008-06-17 14:47:57 0 d-------- C:\Windows\San Andreas Mod Installer
2008-06-17 14:47:57 0 d-------- C:\Program Files\San Andreas Mod Installer
2008-06-16 23:31:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-12 23:17:55 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:17:54 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 16:37:21 0 d-------- C:\Program Files\Webroot
2008-06-04 16:37:21 0 d-------- C:\Program Files\Common Files\Webroot Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-01 20:06:46 0 d-------- C:\Users\El Mongo\AppData\Roaming\U3
2008-06-30 15:35:48 0 d-------- C:\Users\El Mongo\AppData\Roaming\Azureus
2008-06-26 23:14:50 0 d-------- C:\Users\El Mongo\AppData\Roaming\LimeWire
2008-06-24 23:31:29 0 d-------- C:\Users\El Mongo\AppData\Roaming\App Launcher Gadget
2008-06-18 22:22:09 0 d-------- C:\Users\El Mongo\AppData\Roaming\Google
2008-06-18 22:21:43 0 d-------- C:\Program Files\Google
2008-06-16 23:31:50 0 d-------- C:\Program Files\Common Files
2008-06-16 23:08:37 0 d-------- C:\Users\El Mongo\AppData\Roaming\Adobe
2008-06-12 23:27:30 0 d-------- C:\Program Files\Windows Mail
2008-06-12 23:18:00 0 d-------- C:\Users\El Mongo\AppData\Roaming\Malwarebytes
2008-06-10 23:19:53 0 d-------- C:\Program Files\Winamp
2008-06-04 16:37:23 0 d-------- C:\Users\El Mongo\AppData\Roaming\Webroot
2008-06-01 22:01:51 0 d-------- C:\Program Files\Norton AntiVirus
2008-06-01 22:01:50 0 d-------- C:\Program Files\Symantec
2008-05-30 07:36:02 0 d-------- C:\Users\El Mongo\AppData\Roaming\CyberLink
2008-05-29 20:59:51 98304 --a------ C:\Windows\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2008-05-26 18:23:46 0 d-------- C:\Program Files\Microsoft Games
2008-05-26 10:18:49 0 d-------- C:\Program Files\BitPim
2008-05-25 09:10:50 0 d-------- C:\Program Files\SpywareBlaster
2008-05-25 08:58:29 0 d-------- C:\Program Files\Spyware Doctor
2008-05-22 19:59:44 0 d-------- C:\Program Files\Registry Clean Expert
2008-05-22 19:52:01 0 d-------- C:\Program Files\TweakVI
2008-05-21 20:32:17 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-21 20:32:13 0 d-------- C:\Program Files\Logitech
2008-05-21 20:20:37 0 d-------- C:\Program Files\EA GAMES
2008-05-21 17:46:03 0 d-------- C:\Program Files\Rockstar Games
2008-05-21 17:46:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 17:43:05 0 d-------- C:\Program Files\LimeWire
2008-05-21 17:32:24 0 d-------- C:\Program Files\Microsoft Expression
2008-05-21 17:13:35 0 d-------- C:\Program Files\Microsoft Works
2008-05-21 17:13:23 0 d-------- C:\Program Files\MSBuild
2008-05-21 17:12:04 0 d-------- C:\Program Files\Microsoft.NET
2008-05-21 17:09:19 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-20 22:08:20 0 d-------- C:\Users\El Mongo\AppData\Roaming\Macromedia
2008-05-20 21:55:50 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-20 21:39:06 0 d-------- C:\Program Files\Lavasoft
2008-05-20 21:29:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 21:22:19 0 d-------- C:\Users\El Mongo\AppData\Roaming\PC Tools
2008-05-20 21:11:00 0 d-------- C:\Program Files\MSXML 4.0
2008-05-20 20:37:35 0 d-------- C:\Users\El Mongo\AppData\Roaming\ATI
2008-05-20 20:35:32 0 d-------- C:\Users\El Mongo\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [01/25/2008 12:42 AM]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [08/28/2007 12:51 AM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [11/12/2007 06:07 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"@"="" []
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 09:24 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 09:23 AM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 09:23 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/20/2008 09:25 PM]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/20/2008 09:23 PM]

C:\Users\El Mongo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/13/2008 1:57:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=C:\Windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\Windows\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
"C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\MediaDirect\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7113dcd-277a-11dd-9750-001d0949937f}]
AutoRun\command- G:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-02 13:08:53 ------------
People do dumb things. And I'm not talking about paying too much for car insurance either.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:23 PM

Posted 02 July 2008 - 03:16 PM

Hi, elmongo2 :thumbsup:

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

The rest looks clear. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 02 July 2008 - 04:03 PM

Runs better, but now when I reboot I get an error message saying "Fatal Execution Engine Error (0x7927f26e)

When I hit OK I get a box that says "dsca.exe Common Language Runtime Debugging Sercies"

"Application has generated an exception that could not be handled. Process id=0xcb0 (3248), Thread id=0xa9c (2716)
People do dumb things. And I'm not talking about paying too much for car insurance either.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:23 PM

Posted 02 July 2008 - 05:30 PM

That is very odd.

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Restart the computer.

Let me know if the error re-occurs.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 02 July 2008 - 05:39 PM

Wow it starts up and works perfect! :)

Damn. I dont know you guys do it by reading those miles and miles registry logs and fixing it but whatever you do it works! :thumbsup:

Thank you much.
People do dumb things. And I'm not talking about paying too much for car insurance either.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:23 PM

Posted 02 July 2008 - 06:01 PM

Hi, elmongo2. :thumbsup:

Congratulations.Posted Image

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html .
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 elmongo2

elmongo2
  • Topic Starter

  • Members
  • 878 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:23 PM

Posted 02 July 2008 - 06:24 PM

Thank you very much! :thumbsup:
People do dumb things. And I'm not talking about paying too much for car insurance either.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:23 PM

Posted 11 July 2008 - 08:33 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users