Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help browser hijacked


  • This topic is locked This topic is locked
7 replies to this topic

#1 dd23

dd23

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 08 December 2008 - 11:10 PM

Hi All.
I have a company laptop and recently I started noticing that when I google a topic and then clicked on a website it would take me to a anouther search page. I usually just go through my temporary internet files and delete everything evryday when I am done for the day, I clean out my harddrive on a weekly basis anything that I don't recognize goes I have been very effective till this point. All of a sudden I am haveing this problem I have downloaded adaware and spybot and spybot keeps comeing up with a browser spyware. I spend most of my time working on the computer and not very much time on the web. This is the first time that I have posted on any web site. I would thank anyone for their help. I can usually tell which files do not belong here but this time it has made it look like anouthe program that I am used to seeing, as I could not find it at all.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:54 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\insight\tools\aiclient.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\FLEXlm\lmenvr.exe
C:\Program Files\iPass\iPassConnect BP\iPCAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetWaiting\NetWaiting.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\EnableProxy\EnableProxy.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPass\iPassConnect BP\downloader\ipccheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://globalsearch.bpweb.bp.com/searchleft2.asp?Button=Yes
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://durntiis/durango/default.asp
O2 - BHO: OneBPSidebar Class - {02F70F62-1717-4A69-8F51-E9B9B50B88DB} - c:\Program Files\OneBP\OneBP sidebar\ATLBPWorldCompanion.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ICFCheck] wscript.exe //Job:main C:\WINDOWS\ICF\ICF.WSF
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [C2C MaX Compression initial registry keys] C:\Program Files\MaXCompression\RegMaxComp54.exe /Q
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Asset Insight SUM] C:\insight\tools\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Wjotuyirogo] rundll32.exe "C:\WINDOWS\Ygepuy.dll",e
O4 - HKLM\..\Run: [Alaji] rundll32.exe "C:\WINDOWS\ujanukif.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\NetWaiting.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Enable or Disable Proxy Server.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: OneBP sidebar - {2A788CEE-150C-46e0-97F1-E30F3D0AFAC4} - c:\Program Files\OneBP\OneBP sidebar\ATLBPWorldCompanion.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\Software\..\Telephony: DomainName = bp1.ad.bp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{448838D5-7877-44F9-92A2-CAF35A956300}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O20 - AppInit_DLLs: WXVAULT.DLL AMINIT.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\insight\tools\aiclient.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXlm Environment Monitor - Unknown owner - C:\FLEXlm\lmenvr.exe
O23 - Service: FLEXlm License Manager - Macrovision Corporation - C:\FLEXlm\lmgrd.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect BP\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect BP\iPCAgent.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleORACLE8_HOMEClientCache - Unknown owner - C:\oracle\Ora81\bin\ONRSD.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

--
End of file - 8929 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 09 December 2008 - 04:30 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download random's system information tool (RSIT) and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dd23

dd23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 09 December 2008 - 05:20 PM

Hi Sam.
Thank you for the help here is what you requested.

info.txt logfile of random's system information tool 1.04 2008-12-09 15:12:58

======Uninstall list======

-->C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe /uninstall
-->C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe /uninstall
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Shockwave Player-->MsiExec.exe /X{A7DB362E-16DC-4E29-8A34-E74381E00B5B}
Altiris Application Metering Agent-->MsiExec.exe /I{AFCCB0E5-9D0D-409D-ABE5-C5DE75FBBC82}
Altiris Software Delivery Solution Agent-->MsiExec.exe /X{A0A1EB01-A6FD-423A-8480-364055A7C961}
Altiris Task Synchronization Agent-->MsiExec.exe /X{2851123E-5786-41BE-A3F1-A9B21E499EEB}
biolsp patch-->MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
BP Branded Wallpaper-->MsiExec.exe /I{73682347-BA4A-4341-A212-F3F7866C4F87}
BP COE Admin Password Generator Service-->MsiExec.exe /I{8AA3B3B6-FAE0-4F9A-ABF8-346339A8BB97}
BP iRAS 4.0 Suite for Passport-->MsiExec.exe /I{4A4F231C-1537-4838-912E-CB8D2178F7A0}
BP Office Templates-->MsiExec.exe /I{AB3947FF-36B2-45A0-B19D-87E3F55365D9}
BP Screen Saver - BP-Firework-->MsiExec.exe /I{4F012929-DF83-4A84-998A-7C176A288E43}
BP Screen Saver - BP-Fireworks-->MsiExec.exe /I{B36A3D2F-4042-4B5D-97E0-46C760C6B5A1}
BP Screen Saver - BP-Reverse Firework-->MsiExec.exe /I{77695564-679B-4618-A8EB-84683457BD6B}
BP Screen Saver - BP-Reverse Fireworks-->MsiExec.exe /I{59CF55C9-AA1E-47AC-A59F-93048ED20FF4}
BP Screen Saver - BP-Text-->MsiExec.exe /I{47EEADC9-49BA-4E28-B2EF-1957AC90D6F8}
BP Screen Saver - BP-Zoom-->MsiExec.exe /I{7FDBEF71-73FD-4A0F-90E4-2CB6B43EB0E0}
BP Screen Saver BP-Scope-->MsiExec.exe /I{45B2D76A-075E-417C-8782-18540317F98C}
BP Univers Fonts (Roman)-->MsiExec.exe /I{E7A8678C-CCA6-4847-B867-99E5DDB9BD07}
Broadcom Advanced Control Suite-->MsiExec.exe /X{26E1BFB0-E87E-4696-9F89-B467F01F81E5}
Broadcom TPM Driver Installer-->MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
Citrix Presentation Server Client-->MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000f5.inf
Dell Embassy Trust Suite by Wave Systems-->C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Dell Touchpad-->C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
DIMS Profile 2003-->C:\PROGRA~1\Landmark\UNWISE.EXE C:\PROGRA~1\Landmark\INSTALL.LOG
Document Manager Lite-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
DWG TrueView 2008-->C:\Program Files\DWG TrueView 2008\Setup\Setup.exe /P {B1A9CD45-A702-4E3B-91ED-8CD562869901} /M AOEM
Dynalink-->MsiExec.exe /I{3E123C8D-08BE-4499-B0C6-244BA7700F56}
ECM Remote Client-->MsiExec.exe /X{E524C8CB-1595-4ACA-9D91-4757D37CF931}
EMBASSY Security Center-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEAFE1E5-076B-430A-96D9-B567792AFA88}
EMBASSY Trust Suite by Wave Systems-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe" -l0x9
EnableProxy-->MsiExec.exe /I{18E879B1-28EE-4547-8AA0-C227B43D5B40}
Enterprise Vault User Extensions-->MsiExec.exe /I{03522506-11CE-42CF-86A1-1BE43F443E9A}
ETS Launch Pad-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{DD41AC25-61B2-4FC9-90AA-672F32139AC3} /l1033
ETS Upgrade-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{72FECEA1-E87F-4192-89FA-D0FBF92885BB}
Fix Paths-->MsiExec.exe /I{AAD51CEE-1F1A-467B-95C3-0E4B6E7F9CE6}
FlexLM Environment Variable Update-->MsiExec.exe /I{514D0E32-9864-4158-A54A-1637CF44BD53}
FLEXlm-->MsiExec.exe /I{C74BCEDD-CE31-4CC8-867C-13481E34DAB4}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB909095)-->"C:\WINDOWS\$NtUninstallKB909095$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
IPass Connect BP Documentation 3.0-->MsiExec.exe /I{0A1B3CFA-C8A8-47B4-8EC5-FDE7474C74B0}
iPass Connect-->C:\PROGRA~1\iPass\IPASSC~1\UNWISE.EXE C:\PROGRA~1\iPass\IPASSC~1\INSTALL.LOG
iPassConnect BP-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6FFA58-F491-11D3-8951-000000027175}\setup.exe"
iRAS SR1 Firewall Exceptions-->C:\UNWISE.EXE C:\INSTALL.LOG
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Macromedia Flash Player-->MsiExec.exe /X{27579b3c-5470-4496-be6c-0c872674f19f}
MacroMedia Shockwave 10.0.1.4-->MsiExec.exe /I{7C0D65B0-A7C4-41BF-9069-468ABD130A62}
MaX Compression Client-->MsiExec.exe /X{0044F4A6-3211-4BAB-A103-F3D7B97A9EFB}
MaX Compression Client-->MsiExec.exe /X{101923F1-624C-4180-8FE9-2F3D019A4AAE}
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework 1.1 Hotfix (KB886903)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Communicator 2005 MUI Pack-->MsiExec.exe /X{2FE4F7D0-49ED-4A85-88C1-1EA443789C4F}
Microsoft Office Communicator 2005-->MsiExec.exe /X{BE5AD430-9E0C-4243-AB3F-593835869855}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Standard 2003-->MsiExec.exe /I{903A0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2007-->MsiExec.exe /I{95120000-0052-0409-0000-0000000FF1CE}
Microsoft Organization Chart 2.0-->MsiExec.exe /I{90AE0409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Personal Folders Backup-->MsiExec.exe /X{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}
Microsoft RunTime Components-->MsiExec.exe /I{47036C9C-6432-4C81-94A3-C12376C2936C}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
NetWaiting-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
NTRU Hybrid TSS v2.0.25-->MsiExec.exe /I{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}
OneBP Sidebar Uninstall-->MsiExec.exe /I{8802CA1E-B5EE-49D2-847B-E4576082436A}
OneBP sidebar-->MsiExec.exe /I{A45E33CA-17AB-458E-BB2F-9CA12452DBCD}
Oracle ODBC and NET8-->MsiExec.exe /I{30CD77E5-4351-419B-A725-6D6667FA7F01}
oracle-->MsiExec.exe /I{CE27F8AA-1178-47AC-BA50-416E10610AE0}
PC Information Utility-->MsiExec.exe /I{ABE10779-04DD-4E40-BDF5-4852F863468D}
PowerDVD 5.7-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Preboot Manager-->MsiExec.exe /I{EE2EE62C-E27D-486A-AF6D-FA4A06E67476}
Private Information Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0B0A2153-58A6-4244-B458-25EDF5FCD809} /l1033
QuickLink Mobile-->C:\PROGRA~1\Alltel\QUICKL~1\UNWISE.EXE C:\PROGRA~1\Alltel\QUICKL~1\INSTALL.LOG
QuickSet-->C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe -runfromtemp -l0x0009 APPDRVNT4 -removeonly
Remove Hidden Data Tool-->MsiExec.exe /X{90F80409-6000-11D3-8CFE-0150048383C9}
SAM Screen Terminal-->C:\PROGRA~1\LUFKIN~1\SAMSCR~1\UNWISE.EXE C:\PROGRA~1\LUFKIN~1\SAMSCR~1\INSTALL.LOG
Secure Update-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D1E829E9-88B8-47C6-A75E-0D40E2C09D50} /l1033
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Wizards-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4} /l1033
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
upekmsi-->MsiExec.exe /I{BE40EC9E-9466-4288-916D-C1D6C13F4A40}
Wave Infrastructure Installer-->MsiExec.exe /I{CDD4761A-3D3F-4487-9AAF-7855A36E0D31}
Wave Support Software-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{07D618CD-B016-438A-ADC9-A75BD23F85CE} /l1033
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11 Enterprise Deployment-->MsiExec.exe /X{C2CDE75C-CA51-4335-9C13-84C00E6093A5}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Messenger 5.1 MUI Pack-->MsiExec.exe /I{BCF744BB-6BA4-4818-98DB-9DB50AE47A19}
Windows Messenger 5.1-->MsiExec.exe /I{C3A6819F-62D3-4750-AF1C-28206DDF2C2E}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885443-->C:\WINDOWS\$NtUninstallKB885443$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Security Patch (KB902400) Vulnerabilities in MSDTC and COM+-->MsiExec.exe /I{4022C88E-5F10-4EFE-9C1F-0E90B1DA13F8}
WinZip-->"C:\PROGRA~1\Winzip\Winzip32.exe" /uninstall

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: McAfee VirusScan Enterprise

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=c:\orawin95\bin;C:\oracle\Ora81\bin\;C:\Program Files\Oracle\jre\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\;C:\FLEXlm\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"LAMHOME"=C:\FLEXlm\
"LICSRV_LICENSE_FILE"=%LM_LICENSE_FILE%
"LM_LICENSE_FILE"=27004@ramxtxus019;2013@ramxtxus019;27001@bp1xtxap129;1701@ramxtxus018;1701@bp1xtxap129;27000@bp1xtxap129;27000@ramxtxus018;27007@ramxtxus019;C:\FLEXlm\Landmark07.dat;C:\FLEXlm\lgc_bitlock.dat;C:\FLEXlm\lgc_dws.dat;C:\FLEXlm\lgc_vip.dat;C:\FLEXlm\lgc_demo.dat
"NAIPath"=\\bp1durdc001.bp1.ad.bp.com\netlogon\
"LocalRTR"=BP1DURIS001

-----------------EOF-----------------




Logfile of random's system information tool 1.04 (written by random/random)
Run by parkdc at 2008-12-09 15:12:49
Microsoft Windows XP Professional Service Pack 2
System drive C: has 139 GB (91%) free of 153 GB
Total RAM: 2038 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:56 PM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\insight\tools\aiclient.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\FLEXlm\lmenvr.exe
C:\Program Files\iPass\iPassConnect BP\iPCAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\NetWaiting\NetWaiting.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\EnableProxy\EnableProxy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPass\iPassConnect BP\downloader\ipccheck.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Temporary Internet Files\Content.IE5\IVIRM5MB\RSIT[2].exe
C:\Program Files\Trend Micro\HijackThis\parkdc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://globalsearch.bpweb.bp.com/searchleft2.asp?Button=Yes
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://durntiis/durango/default.asp
O2 - BHO: OneBPSidebar Class - {02F70F62-1717-4A69-8F51-E9B9B50B88DB} - c:\Program Files\OneBP\OneBP sidebar\ATLBPWorldCompanion.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ICFCheck] wscript.exe //Job:main C:\WINDOWS\ICF\ICF.WSF
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [C2C MaX Compression initial registry keys] C:\Program Files\MaXCompression\RegMaxComp54.exe /Q
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Asset Insight SUM] C:\insight\tools\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Wjotuyirogo] rundll32.exe "C:\WINDOWS\Ygepuy.dll",e
O4 - HKLM\..\Run: [Alaji] rundll32.exe "C:\WINDOWS\ujanukif.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\NetWaiting.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Enable or Disable Proxy Server.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: OneBP sidebar - {2A788CEE-150C-46e0-97F1-E30F3D0AFAC4} - c:\Program Files\OneBP\OneBP sidebar\ATLBPWorldCompanion.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\Software\..\Telephony: DomainName = bp1.ad.bp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{448838D5-7877-44F9-92A2-CAF35A956300}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bp1.ad.bp.com
O20 - AppInit_DLLs: WXVAULT.DLL AMINIT.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\insight\tools\aiclient.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXlm Environment Monitor - Unknown owner - C:\FLEXlm\lmenvr.exe
O23 - Service: FLEXlm License Manager - Macrovision Corporation - C:\FLEXlm\lmgrd.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect BP\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect BP\iPCAgent.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OracleORACLE8_HOMEClientCache - Unknown owner - C:\oracle\Ora81\bin\ONRSD.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

--
End of file - 8967 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02F70F62-1717-4A69-8F51-E9B9B50B88DB}]
OneBPSidebar Class - c:\Program Files\OneBP\OneBP sidebar\ATLBPWorldCompanion.dll [2006-12-20 186520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 434279]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-07-16 58688]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"ICFCheck"=wscript.exe //Job:main C:\WINDOWS\ICF\ICF.WSF []
"McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UdaterUI.exe [2007-03-27 136768]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-07-16 111952]
"C2C MaX Compression initial registry keys"=C:\Program Files\MaXCompression\RegMaxComp54.exe [2007-06-26 121684]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"Apoint"=C:\Program Files\Apoint\Apoint.exe [2007-01-25 159744]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-12-09 49152]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-20 1228800]
"Document Manager"=C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe [2006-09-08 102400]
"Asset Insight SUM"=C:\insight\tools\AISOFTMN.EXE [2007-03-23 24576]
"AeXAgentLogon"=C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe [2006-09-13 139264]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe [2006-10-12 49263]
"Wjotuyirogo"=C:\WINDOWS\Ygepuy.dll [2008-12-06 40960]
"Alaji"=C:\WINDOWS\ujanukif.dll [2008-12-06 141312]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-11-16 1611480]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"ModemOnHold"=C:\Program Files\NetWaiting\NetWaiting.exe [2003-09-10 20480]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe

C:\Documents and Settings\Parkdc\Start Menu\Programs\Startup
Enable or Disable Proxy Server.lnk - C:\Documents and Settings\Parkdc\Application Data\Microsoft\Installer\{18E879B1-28EE-4547-8AA0-C227B43D5B40}\Icon18E879B1.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="WXVAULT.DLL AMINIT.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-05-16 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage"=0
"NoDevMgrPage"=0
"NoConfigPage"=0
"NoFileSysPage"=0
"NoVirtMemPage"=0
"HideLegacyLogonScripts"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=Warning - authorised users only !!
"legalnoticetext"=BP p.l.c.,its subsidiary and certain associate companies have proprietary rights in this system and data. Unauthorised access and non-permitted use of BPs system is unlawful and may result in disciplinary action and/or legal proceedings. Within the bounds of law electronic transmissions through internal and external networks may be monitored to ensure compliance with internal policies and legitimate businesses purposes. In addition,any use of BPs proprietary system is subject to all BPs policies and procedures including but not limited to the Global Internet Access and Use Policy. E-mails,like more formal methods of communication or record,should be drafted and transmitted with care,having regard to the nature and scope of their content,who the intended recipients are,and the fact that they may be deliberately or accidentally copied and may be read by unintended recipients.
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=0
"HideStartupScripts"=1
"HideShutdownScripts"=1
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoWindowsUpdate"=1
"ForceStartMenuLogOff"=1
"NoWelcomeScreen"=1
"NoStartMenuMyMusic"=1
"NoAutoUpdate"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=
"NoSMConfigurePrograms"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a3ab001-2945-11da-8015-00d0b754cabf}]
shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7cf6038-4a7c-11dc-a8cd-edc561c8a203}]
shell\AutoRun\command - E:\


======File associations======

.scr - open - "%windir%\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 3 months======

2008-12-09 15:12:49 ----D---- C:\rsit
2008-12-08 18:58:31 ----D---- C:\Program Files\Trend Micro
2008-12-08 06:56:12 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2008-12-07 21:54:25 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-07 21:54:25 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 21:09:57 ----D---- C:\Program Files\Lavasoft
2008-12-07 21:09:57 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-06 07:26:23 ----A---- C:\WINDOWS\ujanukif.dll
2008-12-06 07:14:16 ----A---- C:\WINDOWS\Ygepuy.dll
2008-11-12 07:24:28 ----D---- C:\Documents and Settings\Parkdc\Application Data\Help
2008-10-18 14:41:10 ----A---- C:\WINDOWS\system32\ptpusd.dll
2008-10-18 14:41:10 ----A---- C:\WINDOWS\system32\ptpusb.dll
2008-10-15 10:33:45 ----D---- C:\Documents and Settings\Parkdc\Application Data\U3
2008-10-13 07:15:17 ----A---- C:\WINDOWS\hpbafd.ini
2008-10-04 14:25:08 ----D---- C:\WINDOWS\system32\appmgmt

======List of files/folders modified in the last 3 months======

2008-12-09 15:12:49 ----D---- C:\WINDOWS\Temp
2008-12-09 15:12:28 ----D---- C:\WINDOWS\Prefetch
2008-12-09 12:38:34 ----D---- C:\WINDOWS
2008-12-09 12:38:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-09 11:19:50 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-09 11:19:45 ----AD---- C:\WINDOWS\system32
2008-12-09 11:19:45 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-09 11:14:30 ----D---- C:\Documents and Settings\Parkdc\Application Data\ICAClient
2008-12-09 10:22:25 ----A---- C:\WINDOWS\dims32.ini
2008-12-09 10:22:20 ----A---- C:\WINDOWS\prof32.ini
2008-12-08 18:58:31 ----RD---- C:\Program Files
2008-12-08 16:28:50 ----SD---- C:\WINDOWS\Temporary Internet Files
2008-12-08 16:19:15 ----D---- C:\WINDOWS\security
2008-12-07 22:12:40 ----D---- C:\Program Files\Enigma Software Group
2008-12-07 21:10:51 ----SHD---- C:\WINDOWS\Installer
2008-12-07 21:09:57 ----D---- C:\WINDOWS\system32\drivers
2008-12-07 21:08:40 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-07 12:36:45 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-07 12:36:40 ----D---- C:\Program Files\Internet Explorer
2008-12-07 12:26:47 ----D---- C:\Program Files\BPINST
2008-12-06 18:43:26 ----D---- C:\WINDOWS\twain_32
2008-12-03 18:10:42 ----SHD---- C:\WINDOWS\CSC
2008-12-03 09:59:36 ----A---- C:\WINDOWS\system32\tadstat.txt
2008-12-03 09:57:06 ----D---- C:\INSIGHT
2008-11-26 21:34:00 ----D---- C:\LOGS
2008-11-26 21:04:59 ----D---- C:\WINDOWS\Downloaded Installations
2008-11-21 13:33:07 ----D---- C:\WINDOWS\ICF
2008-11-19 09:34:03 ----SD---- C:\Documents and Settings\Parkdc\Application Data\Microsoft
2008-11-15 09:16:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-27 07:13:20 ----HD---- C:\WINDOWS\inf
2008-10-23 21:49:06 ----D---- C:\Documents and Settings\Parkdc\Application Data\Macromedia
2008-10-15 09:57:55 ----A---- C:\WINDOWS\system32\netapi32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-07-16 52104]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2006-03-24 15793]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 pmem;pmem; C:\WINDOWS\system32\DRIVERS\pmemnt.sys [2004-07-12 7012]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2007-02-17 132608]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-13 160256]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 guardian2;guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [2007-02-23 56576]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-11-02 989696]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-11-02 209152]
R3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-04-20 100992]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-05-16 5707744]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-07-16 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-07-16 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-07-16 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-07-16 174952]
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-02-25 2203520]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-02-19 1228296]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2006-01-16 28800]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-10-25 27264]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2006-02-20 58240]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-11-02 730112]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
S3 atirage3;atirage3; C:\WINDOWS\system32\DRIVERS\atimpae.sys [2001-08-17 75136]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 ess;ESS Audio Driver (WDM); C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 63360]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-05-07 493896]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AeXNSClient;Altiris Agent; C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe [2006-09-13 1257472]
R2 AICLIENT;Asset Insight Client; C:\insight\tools\aiclient.exe [2007-08-21 241664]
R2 DataSvr2;DataSvr2; C:\Program Files\Wave Systems Corp\Common\DataServer.exe [2006-09-05 315392]
R2 FLEXlm Environment Monitor;FLEXlm Environment Monitor; C:\FLEXlm\lmenvr.exe [2002-07-09 40486]
R2 iPCAgent;iPCAgent; C:\Program Files\iPass\iPassConnect BP\iPCAgent.exe [2004-10-19 90112]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2007-03-27 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2008-07-16 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2008-07-16 54608]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2007-07-20 475136]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-02-19 90112]
R2 tcsd_win32.exe;NTRU Hybrid TSS v2.0.25 TCS; C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe [2006-06-12 180224]
S2 FLEXlm License Manager;FLEXlm License Manager; C:\FLEXlm\lmgrd.exe [2003-07-08 659456]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 iPassConnectEngine;iPassConnectEngine; C:\Program Files\iPass\iPassConnect BP\iPassConnectEngine.exe [2004-10-22 1028096]
S3 OracleORACLE8_HOMEClientCache;OracleORACLE8_HOMEClientCache; C:\oracle\Ora81\bin\ONRSD.EXE [2000-03-14 480180]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 CSI ECM Socket Listener;CSI ECM Socket Listener; C:\WINDOWS\system32\ECM4\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe [2003-10-17 1032192]
S4 CSIRemoteC;Configuresoft ECM Remote Client; C:\WINDOWS\system32\Ecm4\Remote\CSIRemoteCSvc.exe [2004-03-10 102400]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
S4 PwdChanger;BP COE Admin Password Changer; C:\WINDOWS\system32\Lgnserv.exe [2001-01-29 348672]

-----------------EOF-----------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 10 December 2008 - 10:00 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\WINDOWS\ujanukif.dll
    C:\WINDOWS\Ygepuy.dll
    
    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "Wjotuyirogo"=-
    "Alaji"=-
    
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


==================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Also post a new log from RSIT.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 dd23

dd23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 10 December 2008 - 09:54 PM

Hi Sam.
Thank you so much for your help I still got one time that I got redirected but not since and I have been seaching just for the sake of searching. I had tought that the ones pointed out did not look right but I was too scared to change this myself, my spybot has been finding one browser item everytime that I run it and tea timer has been popping up with browser changes by the two log descriptions that you pin pointed. It got the point the point today that when I clicked do not allow changes today it would just pop right back up again.
Thank you again.

========== FILES ==========
C:\WINDOWS\ujanukif.dll NOT unregistered.
C:\WINDOWS\ujanukif.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\Ygepuy.dll
C:\WINDOWS\Ygepuy.dll NOT unregistered.
C:\WINDOWS\Ygepuy.dll moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Wjotuyirogo deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Alaji deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Parkdc\LOCALS~1\Temp\NAILogs\UpdaterUI_ADURPAS235687-L.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Parkdc\LOCALS~1\Temp\ev_client_log_20081210180718.txt scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Parkdc\LOCALS~1\Temp\ExchangePerflog_8484fa31283976796cbddffe.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_128.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV42.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12102008_181012

Files moved on Reboot...
C:\DOCUME~1\Parkdc\LOCALS~1\Temp\NAILogs\UpdaterUI_ADURPAS235687-L.log moved successfully.
C:\DOCUME~1\Parkdc\LOCALS~1\Temp\ev_client_log_20081210180718.txt moved successfully.
C:\DOCUME~1\Parkdc\LOCALS~1\Temp\ExchangePerflog_8484fa31283976796cbddffe.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_128.dat not found!
File C:\WINDOWS\temp\WFV42.tmp not found!


Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 2

12/10/2008 6:24:31 PM
mbam-log-2008-12-10 (18-24-31).txt

Scan type: Quick Scan
Objects scanned: 53412
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wjotuyirogo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 dd23

dd23
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 10 December 2008 - 11:15 PM

Hi Sam.
I hate to say it but it still happenening all of a sudden it has started again.
Thanks Dylan.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 11 December 2008 - 09:42 AM

Please post a new log from RSIT.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:36 AM

Posted 27 December 2008 - 11:49 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users