Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spywareguard.exe & winscenter.exe malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 ssthomps

ssthomps

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 18 December 2008 - 06:41 PM

I am trying to get some information on removing the spywareguard.exe & winscenter.exe malware from my machine. I hav enot been able to succesfully remove the malware from my system and it will not allow me to go to certain web sites.


info.txt logfile of random's system information tool 1.05 2008-12-18 17:38:37

======Uninstall list======

-->C:\Program Files\Common Files\McAfee\Installer\mcinst.exe "C:\Program Files\McAfee\MPF\mpfapi.inf" /uninstall
-->C:\Program Files\Spyware Guard 2008\uninstall.exe
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bejeweled 2 Deluxe (remove only)-->"C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\Uninstall.exe"
Bejeweled Twist (remove only)-->"C:\Program Files\Yahoo! Games\Bejeweled Twist\Uninstall.exe"
BellSouth® Scan and Clean Tool-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{2FFA13E8-7E10-4CA2-A004-9582DFE20E32}
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Business Contact Manager for Outlook 2007 SP1-->"C:\Program Files\Microsoft Small Business\Business Contact Manager\SetupBootstrap\Setup.exe" /remove {B32C4059-6E7A-41EF-AD20-56DF1872B923}
Business Contact Manager for Outlook 2007 SP1-->MsiExec.exe /X{B32C4059-6E7A-41EF-AD20-56DF1872B923}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Network Assistant-->MsiExec.exe /I{0240BDFB-2995-4A3F-8C96-18D41282B716}
Dell Printer Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{105F3CE5-FE55-408E-BF30-E78F85BA0B12}\setup.exe" -l0x9 /UninstallOnly
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Full Tilt Poker-->"C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)-->C:\WINDOWS\SQL9_KB948109_ENU\Hotfix.exe /Uninstall
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 2.0 (KB922981)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {A1D5A6B2-B620-41F9-B435-10A4FF3C18A2} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Hotfix for Microsoft .NET Framework 2.0 (KB923319)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {3C87D1CF-1592-4BFA-9B3E-380580EFAF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections 12.1.8.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee Firewall Protection Service-->C:\Program Files\McAfee\Managed VirusScan\Agent\myinx /Script=C:\Program Files\McAfee\Managed VirusScan\Firewall\mvsFirewall.Inx /Section=DefaultUninstall
McAfee Total Protection-->C:\Program Files\McAfee\Managed VirusScan\Agent\myinx /Script=C:\Program Files\McAfee\Managed VirusScan\VScan\vsasap.inx /Section=DefaultUninstall
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies-->MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall SMALLBUSINESSR /dll OSETUP.DLL
Microsoft Office Small Business 2007-->MsiExec.exe /X{91120000-00CA-0000-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Monopoly (remove only)-->C:\Program Files\Yahoo! Games\Monopoly\Uninstall.exe {6517CFDF-B7A4-77B6-2371-C76608D3C976}
Monopoly Here & Now Edition (remove only)-->"C:\Program Files\Yahoo! Games\Monopoly Here & Now Edition\Uninstall.exe"
Monopoly-->MsiExec.exe /X{6517CFDF-B7A4-77B6-2371-C76608D3C976}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -l0x9 -cluninstall
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Roxio Activation Module-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ED8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sonic CinePlayer Decoder Pack-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb958619)-->msiexec /package {91120000-00CA-0000-0000-0000000FF1CE} /uninstall {79B301C1-DBC0-467C-AFDA-2A6CDAFA4302}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
YouSendIt Express-->C:\Program Files\InstallShield Installation Information\{CBB6F775-E76E-49F7-98D3-1519414B1E4B}\setup.exe -runfromtemp -l0x0409
YouSendIt Plug-in for Outlook-->C:\Program Files\InstallShield Installation Information\{20DFF861-31EE-41F6-98D5-0A992AE7D116}\setup.exe -runfromtemp -l0x0409

=====HijackThis Backups=====

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O21 - SSODL: ieModule - {6E8C6F7B-6A93-441D-B589-EEF86174113B} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL etxiyb.dll
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080529
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe

======Security center information======

AV: Total Protection Service (disabled)
FW: Total Protection Service

System event log

Computer Name: MHSA
Event Code: 7036
Message: The Network Location Awareness (NLA) service entered the running state.

Record Number: 6894
Source Name: Service Control Manager
Time Written: 20081120110622.000000-360
Event Type: information
User:

Computer Name: MHSA
Event Code: 7035
Message: The Background Intelligent Transfer Service service was successfully sent a start control.

Record Number: 6893
Source Name: Service Control Manager
Time Written: 20081120110622.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: MHSA
Event Code: 7035
Message: The Network Location Awareness (NLA) service was successfully sent a start control.

Record Number: 6892
Source Name: Service Control Manager
Time Written: 20081120110622.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: MHSA
Event Code: 7035
Message: The SSDP Discovery Service service was successfully sent a start control.

Record Number: 6891
Source Name: Service Control Manager
Time Written: 20081120110622.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: MHSA
Event Code: 7036
Message: The Fax service entered the stopped state.

Record Number: 6890
Source Name: Service Control Manager
Time Written: 20081120110622.000000-360
Event Type: information
User:

Application event log

Computer Name: MHSA
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: Microsoft.Interop.eCRM.Excel, Version=1.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 721
Source Name: .NET Runtime Optimization Service
Time Written: 20080604170448.000000-300
Event Type:
User:

Computer Name: MHSA
Event Code: 1100
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Began compiling: Microsoft.Interop.eCRM.Excel, Version=1.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 720
Source Name: .NET Runtime Optimization Service
Time Written: 20080604170447.000000-300
Event Type: information
User:

Computer Name: MHSA
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: BCMMSIDCRL.Managed, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 719
Source Name: .NET Runtime Optimization Service
Time Written: 20080604170447.000000-300
Event Type:
User:

Computer Name: MHSA
Event Code: 1100
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Began compiling: BCMMSIDCRL.Managed, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35


Record Number: 718
Source Name: .NET Runtime Optimization Service
Time Written: 20080604170447.000000-300
Event Type: information
User:

Computer Name: MHSA
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: Xceed.Compression, Version=3.2.6410.0, Culture=neutral, PublicKeyToken=ba83ff368b7563c6


Record Number: 717
Source Name: .NET Runtime Optimization Service
Time Written: 20080604170447.000000-300
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

-----------------EOF-----------------


Logfile of random's system information tool 1.05 (written by random/random)
Run by Felicia Thompson at 2008-12-18 17:38:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 136 GB (89%) free of 153 GB
Total RAM: 2037 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:33 PM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN10.tmp
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\winscenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
E:\RSIT.exe
E:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Felicia Thompson.exe

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ljJBrOfC.dll
O2 - BHO: (no name) - {B7AA58A4-140C-4492-AE5E-D7A73C47F869} - C:\WINDOWS\system32\ljJdayVn.dll
O2 - BHO: (no name) - {D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)
O2 - BHO: (no name) - {fa796223-4663-4c78-9288-e6bb1104743c} - C:\WINDOWS\system32\sokinutu.dll
O4 - HKLM\..\Run: [hofohuyelu] Rundll32.exe "C:\WINDOWS\system32\tegiseme.dll",s
O4 - HKLM\..\Run: [9c810182] rundll32.exe "C:\WINDOWS\system32\belupavi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [hofohuyelu] Rundll32.exe "C:\WINDOWS\system32\tegiseme.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hofohuyelu] Rundll32.exe "C:\WINDOWS\system32\tegiseme.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\bunuwuru.dll
O20 - Winlogon Notify: ljJBrOfC - C:\WINDOWS\SYSTEM32\ljJBrOfC.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: InternetConnection - {A11398EB-B650-4F71-BA17-59C8BFB0F5D6} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\zengcnefgl.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5729 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\paclgcoo.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 803864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\ljJBrOfC.dll [2008-12-18 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7AA58A4-140C-4492-AE5E-D7A73C47F869}]
C:\WINDOWS\system32\ljJdayVn.dll [2008-12-18 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF49A2-94F1-42BD-F434-3604812C807D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fa796223-4663-4c78-9288-e6bb1104743c}]
C:\WINDOWS\system32\sokinutu.dll [2008-09-18 61440]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hofohuyelu"=C:\WINDOWS\system32\tegiseme.dll [2008-09-18 61440]
"9c810182"=C:\WINDOWS\system32\belupavi.dll [2008-12-18 87152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c810182]
C:\WINDOWS\system32\mxlubjhp.dll [2008-12-18 72704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\WINDOWS\ALCMTR.EXE [2007-06-13 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2006-10-25 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [2007-07-25 393944]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLUPDR]
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE [2007-02-21 140184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-28 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2007-06-13 162584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2007-06-13 142104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe [2008-02-22 87360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe [2008-02-22 468288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2007-09-17 124200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2007-06-13 138008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16132608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywareguard]
C:\Program Files\Spyware Guard 2008\spywareguard.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-28 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-05-28 7168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\bunuwuru.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-13 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljJBrOfC]
C:\WINDOWS\system32\ljJBrOfC.dll [2008-12-18 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32]
C:\WINDOWS\system32\WinCtrl32.dll [2008-12-18 16896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
InternetConnection - {A11398EB-B650-4F71-BA17-59C8BFB0F5D6} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\zengcnefgl.dll [2008-12-18 767488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\ljJBrOfC.dll [2008-12-18 34816]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\ljJdayVn
"notification packages"=scecli
C:\WINDOWS\system32\bunuwuru.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windv11.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Windv11.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe"="C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent"
"C:\Program Files\att-nap\McciBrowser.exe"="C:\Program Files\att-nap\McciBrowser.exe:*:Enabled:motivebrowser.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe"="C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe"="C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e798be8-6e28-11dd-9a62-001e4c87ab26}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2008-12-18 17:38:26 ----D---- C:\rsit
2008-12-18 17:10:56 ----A---- C:\WINDOWS\is-2A2IC.exe
2008-12-18 17:03:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-18 17:03:29 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-18 15:50:50 ----SH---- C:\WINDOWS\system32\ivapuleb.ini
2008-12-18 15:45:34 ----A---- C:\WINDOWS\system32\~.exe
2008-12-18 14:28:23 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-12-18 14:24:51 ----D---- C:\WINDOWS\system32\NtmsData
2008-12-18 14:00:01 ----D---- C:\WINDOWS\pss
2008-12-18 13:58:27 ----D---- C:\Program Files\Trend Micro
2008-12-18 13:57:05 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-18 10:55:51 ----D---- C:\WINDOWS\system32\appmgmt
2008-12-18 10:55:47 ----SHD---- C:\Config.Msi
2008-12-18 10:50:58 ----A---- C:\WINDOWS\system32\winscenter.exe
2008-12-18 10:50:54 ----A---- C:\WINDOWS\vmreg.dll
2008-12-18 10:50:54 ----A---- C:\WINDOWS\sysexplorer.exe
2008-12-18 10:50:54 ----A---- C:\WINDOWS\syscert.exe
2008-12-18 10:50:54 ----A---- C:\WINDOWS\sys.com
2008-12-18 10:50:54 ----A---- C:\WINDOWS\spoolsystem.exe
2008-12-18 10:50:54 ----A---- C:\WINDOWS\reged.exe
2008-12-18 10:50:05 ----A---- C:\Documents and Settings\All Users\Application Data\svhost.exe
2008-12-18 10:49:55 ----A---- C:\WINDOWS\system32\WinCtrl32.dll
2008-12-18 10:49:53 ----A---- C:\WINDOWS\system32\bthser.dll
2008-12-18 10:48:46 ----A---- C:\WINDOWS\system32\tyshb36rfjdf.dll
2008-12-18 10:48:37 ----D---- C:\WINDOWS\system32\cap2
2008-12-18 10:48:37 ----D---- C:\WINDOWS\system32\ain
2008-12-18 10:48:36 ----D---- C:\Temp
2008-12-18 10:48:23 ----A---- C:\WINDOWS\system32\nnnmnMFU.dll
2008-12-18 10:45:41 ----D---- C:\Program Files\Windows Defender
2008-12-18 10:44:54 ----SH---- C:\WINDOWS\system32\phjbulxm.ini
2008-12-18 10:44:50 ----A---- C:\WINDOWS\system32\mxlubjhp.dll
2008-12-18 10:42:14 ----A---- C:\WINDOWS\system32\efcYRKbb.dll
2008-12-18 10:39:48 ----A---- C:\WINDOWS\system32\etxiyb.dll
2008-12-18 10:39:47 ----A---- C:\WINDOWS\system32\cmwnogie.dll
2008-12-18 10:39:20 ----A---- C:\WINDOWS\system32\97a2c5fc-.txt
2008-12-18 10:38:50 ----ASH---- C:\WINDOWS\system32\nVyadJjl.ini2
2008-12-18 10:38:49 ----ASH---- C:\WINDOWS\system32\nVyadJjl.ini
2008-12-18 10:38:46 ----A---- C:\WINDOWS\system32\ljJdayVn.dll
2008-12-18 10:33:54 ----D---- C:\Documents and Settings\Felicia Thompson\Application Data\gadcom
2008-12-18 10:33:43 ----A---- C:\WINDOWS\system32\geBtSLEX.dll
2008-12-18 10:33:39 ----A---- C:\WINDOWS\system32\ljJBrOfC.dll
2008-12-18 10:33:38 ----A---- C:\WINDOWS\system32\prunnet.exe
2008-12-18 10:23:53 ----A---- C:\WINDOWS\system32\a.exe
2008-12-18 10:21:27 ----D---- C:\Documents and Settings\Felicia Thompson\Application Data\Apple Computer
2008-12-18 10:21:16 ----A---- C:\WINDOWS\system32\GEARAspi.dll
2008-12-18 10:20:51 ----D---- C:\Program Files\iPod
2008-12-18 10:20:47 ----D---- C:\Program Files\iTunes
2008-12-18 10:20:47 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 10:19:39 ----D---- C:\Program Files\QuickTime
2008-12-18 10:19:37 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-12-18 10:19:20 ----D---- C:\Program Files\Apple Software Update
2008-12-18 10:18:52 ----D---- C:\Program Files\Common Files\Apple
2008-12-18 10:18:52 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2008-12-18 10:04:48 ----A---- C:\WINDOWS\system32\ptpusb.dll
2008-12-18 10:04:33 ----A---- C:\WINDOWS\system32\ptpusd.dll
2008-12-10 17:20:20 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 17:19:36 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 17:19:11 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 17:19:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-02 16:04:20 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2008-12-02 16:04:20 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2008-12-02 16:04:20 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2008-12-02 16:04:19 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2008-12-02 16:04:19 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2008-12-02 16:04:18 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2008-12-02 16:04:18 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2008-12-02 16:04:17 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2008-12-02 16:04:17 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2008-12-02 16:04:16 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2008-12-02 16:04:16 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2008-12-02 16:04:16 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2008-12-02 16:04:15 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2008-12-02 16:04:14 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2008-12-02 16:04:14 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-12-02 16:04:14 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2008-12-02 16:04:13 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-12-02 16:04:12 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2008-12-02 16:04:12 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2008-12-02 16:04:12 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-12-02 16:04:11 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2008-12-02 16:04:10 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2008-12-02 16:04:10 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2008-12-02 16:04:09 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2008-12-02 16:04:09 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2008-12-02 16:04:08 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2008-12-02 16:04:08 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2008-12-02 16:04:06 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2008-12-02 16:04:06 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2008-12-02 16:04:05 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2008-12-02 16:04:04 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2008-12-02 16:04:04 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2008-12-02 16:04:04 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2008-12-02 16:04:03 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2008-12-02 16:04:02 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2008-12-02 16:04:02 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2008-12-02 16:04:01 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2008-12-02 16:04:01 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2008-12-02 16:04:00 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-12-02 16:04:00 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2008-12-02 16:03:59 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2008-12-02 16:03:58 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2008-12-02 16:03:58 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2008-12-02 16:03:57 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-12-02 16:03:57 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2008-12-02 16:03:56 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-12-02 16:03:56 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-12-02 16:03:55 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-12-02 16:03:55 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-12-02 16:03:55 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-12-02 16:03:54 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-12-02 16:03:54 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-12-02 16:03:53 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-12-02 16:03:53 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-12-02 16:03:52 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-12-02 16:03:49 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-12-02 16:03:48 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-02 16:03:48 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-02 16:03:48 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-02 16:03:47 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-02 16:03:47 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-02 16:03:46 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-02 16:03:46 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-02 16:03:45 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-02 16:03:45 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-02 15:10:30 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-12-02 14:57:28 ----HD---- C:\WINDOWS\msdownld.tmp
2008-12-02 14:57:23 ----D---- C:\WINDOWS\Logs
2008-12-02 13:49:27 ----D---- C:\Program Files\Full Tilt Poker
2008-12-02 13:46:21 ----D---- C:\Program Files\GamesCampus
2008-11-20 12:12:42 ----D---- C:\Program Files\Antivirus 2009

======List of files/folders modified in the last 1 months======

2008-12-18 17:36:50 ----D---- C:\Program Files\Mozilla Firefox
2008-12-18 17:30:05 ----D---- C:\WINDOWS\system32
2008-12-18 17:30:05 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-18 17:30:02 ----D---- C:\WINDOWS\Temp
2008-12-18 17:28:29 ----SD---- C:\WINDOWS\Tasks
2008-12-18 17:26:04 ----D---- C:\WINDOWS
2008-12-18 17:17:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-18 17:10:56 ----D---- C:\WINDOWS\system32\drivers
2008-12-18 17:03:29 ----RD---- C:\Program Files
2008-12-18 15:50:46 ----ASH---- C:\WINDOWS\system32\belupavi.dll
2008-12-18 14:38:43 ----SHD---- C:\System Volume Information
2008-12-18 14:26:10 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-18 14:26:05 ----D---- C:\WINDOWS\repair
2008-12-18 14:25:52 ----D---- C:\WINDOWS\Registration
2008-12-18 14:13:32 ----RASH---- C:\boot.ini
2008-12-18 14:13:32 ----A---- C:\WINDOWS\win.ini
2008-12-18 14:13:31 ----A---- C:\WINDOWS\system.ini
2008-12-18 14:13:17 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-18 11:02:37 ----SHD---- C:\WINDOWS\Installer
2008-12-18 11:02:22 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-18 11:02:05 ----HD---- C:\WINDOWS\inf
2008-12-18 10:50:52 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-18 10:48:26 ----D---- C:\WINDOWS\Prefetch
2008-12-18 10:18:52 ----D---- C:\Program Files\Common Files
2008-12-18 10:04:52 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-10 17:20:49 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-10 17:20:16 ----A---- C:\WINDOWS\imsins.BAK
2008-12-10 17:20:09 ----D---- C:\Program Files\Internet Explorer
2008-12-10 17:19:56 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-05 20:00:13 ----D---- C:\WINDOWS\Help
2008-12-05 16:54:45 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-02 16:12:08 ----SD---- C:\Documents and Settings\Felicia Thompson\Application Data\Microsoft
2008-12-02 16:04:23 ----D---- C:\WINDOWS\system32\DirectX
2008-12-02 16:03:52 ----RSD---- C:\WINDOWS\assembly
2008-12-02 13:49:27 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-01 08:47:44 ----D---- C:\Program Files\Adobe
2008-11-20 13:12:15 ----D---- C:\Program Files\Yahoo! Games

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 diskk;diskk; C:\WINDOWS\System32\drivers\diskk.sys [2008-12-18 86272]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-12-01 201320]
R1 mfetdik;McAfee Inc. mfetdik; C:\WINDOWS\system32\drivers\mfetdik.sys [2007-12-01 55016]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-03-02 109608]
R2 CSS DVP;CSS DVP; C:\WINDOWS\system32\DRIVERS\css-dvp.sys [2006-01-20 783984]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R2 Packet;Auto Internet Protocol; C:\WINDOWS\system32\DRIVERS\packet.sys [2006-12-18 12672]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2006-10-11 604928]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-06-26 254872]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-13 5760096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-13 4403712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 MfeAVFK;McAfee Inc. MfeAVFK; C:\WINDOWS\system32\drivers\MfeAVFK.sys [2007-12-01 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK; C:\WINDOWS\system32\drivers\MfeBOPK.sys [2007-12-01 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK; C:\WINDOWS\system32\drivers\MfeRKDK.sys [2007-12-01 33832]
S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 DLPWD;Dell Printer Status Watcher; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [2006-12-07 95128]
R2 DLSDB;Dell Printer Status Database; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
R2 dvpapi;DvpApi; C:\Program Files\Common Files\Command Software\dvpapi.exe [2006-01-20 142416]
R2 hnmsvc;Advanced Networking Service; C:\Program Files\Dell Network Assistant\hnm_svc.exe [2007-05-25 112176]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service; C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe [2007-02-13 540776]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service; C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-02-22 169280]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-10-25 20480]
R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-05-23 841256]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-28 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 EngineServer;EngineServer; C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 14144]
S4 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2008-01-28 303104]
S4 McShield;McShield; C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe [2007-12-01 144704]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
S4 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 18 December 2008 - 07:44 PM

Hello ssthomps

Welcome to BleepingComputer :thumbsup:
========================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 19 December 2008 - 02:21 PM

Thanks a bunch kahdah, the machine already seems to be running better. Below is the combofix report. I still get a few popups too.


ComboFix 08-12-18.03 - Felicia Thompson 2008-12-19 13:03:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1665 [GMT -6:00]
Running from: c:\documents and settings\Felicia Thompson\Desktop\ComboFix.bat.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll
c:\documents and settings\All Users\Application Data\svhost.exe
c:\documents and settings\Felicia Thompson\Application Data\gadcom
c:\documents and settings\Felicia Thompson\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Antivirus 2009
c:\program files\Antivirus 2009\av2009.exe.tmp
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\IE4 Error Log.txt
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\~.exe
c:\windows\system32\a.exe
c:\windows\system32\bthser.dll
c:\windows\system32\cmwnogie.dll
c:\windows\system32\drivers\Windv11.sys
c:\windows\system32\efcYRKbb.dll
c:\windows\system32\etxiyb.dll
c:\windows\system32\ivapuleb.ini
c:\windows\system32\ljJBrOfC.dll
c:\windows\system32\ljJdayVn.dll
c:\windows\system32\mxlubjhp.dll
c:\windows\system32\nnnmnMFU.dll
c:\windows\system32\nVyadJjl.ini
c:\windows\system32\nVyadJjl.ini2
c:\windows\system32\phjbulxm.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\uhehoyes.ini
c:\windows\system32\WinCtrl32.dl_
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\winscenter.exe
c:\windows\system32\x64
c:\windows\vmreg.dll
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_PACKET
-------\Legacy_WINDV11
-------\Service_Packet
-------\Service_Windv11


((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-19 13:16 . 2008-12-19 13:16 120 ---hs---- c:\windows\system32\uhehoyes.ini
2008-12-19 13:15 . 2008-12-19 13:15 <DIR> d-------- c:\temp\tn3
2008-12-18 17:38 . 2008-12-18 17:38 <DIR> d-------- C:\rsit
2008-12-18 17:10 . 2008-12-18 17:10 685,056 --a------ c:\windows\is-2A2IC.exe
2008-12-18 17:10 . 2008-12-18 17:10 10,498 --a------ c:\windows\is-2A2IC.msg
2008-12-18 17:10 . 2008-12-18 17:10 422 --a------ c:\windows\is-2A2IC.lst
2008-12-18 17:03 . 2008-12-18 17:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 17:03 . 2008-12-18 17:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-18 17:03 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-18 17:03 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 14:28 . 2008-12-18 14:28 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-18 14:24 . 2008-12-18 14:26 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-18 13:58 . 2008-12-18 13:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\windows\system32\cap2
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\windows\system32\ain
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\temp\REX81
2008-12-18 10:48 . 2008-12-19 13:15 <DIR> d-------- C:\Temp
2008-12-18 10:48 . 2008-12-18 10:48 86,272 --a------ c:\windows\system32\drivers\diskk.sys
2008-12-18 10:48 . 2008-12-19 13:15 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-12-18 10:45 . 2008-12-18 10:45 <DIR> d-------- c:\program files\Windows Defender
2008-12-18 10:33 . 2008-12-18 10:33 45,056 --a------ c:\windows\system32\geBtSLEX.dll
2008-12-18 10:21 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Apple Computer
2008-12-18 10:21 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-18 10:21 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\program files\iTunes
2008-12-18 10:20 . 2008-12-18 10:20 <DIR> d-------- c:\program files\iPod
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\program files\QuickTime
2008-12-18 10:19 . 2008-12-18 10:19 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-18 10:18 . 2008-12-18 10:20 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-18 10:18 . 2008-12-18 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-18 10:04 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-18 10:04 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-08 11:20 . 2008-12-08 11:22 <DIR> d-------- c:\documents and settings\Felicia Thompson\dwhelper
2008-12-05 16:54 . 2008-12-05 16:54 <DIR> d-------- c:\documents and settings\Nita Thompson\Application Data\Yahoo!
2008-12-04 19:11 . 2008-12-04 19:11 <DIR> d-------- c:\documents and settings\Jason Thompson\Application Data\Yahoo!
2008-12-02 16:03 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2008-12-02 14:57 . 2008-12-02 16:03 <DIR> d--h----- c:\windows\msdownld.tmp
2008-12-02 14:57 . 2008-12-02 14:57 <DIR> d-------- c:\windows\Logs
2008-12-02 13:49 . 2008-12-18 11:59 <DIR> d-------- c:\program files\Full Tilt Poker
2008-12-02 13:46 . 2008-12-02 13:46 <DIR> d-------- c:\program files\GamesCampus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 17:47 83,121 --sha-w c:\windows\system32\seyohehu.dll
2008-12-18 21:50 87,152 --sha-w c:\windows\system32\belupavi.dll
2008-12-18 20:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-10 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-02 19:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 19:12 --------- d-----w c:\program files\Yahoo! Games
2008-11-13 19:12 --------- d-----w c:\program files\YouSendIt
2008-11-13 19:05 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\YouSendIt
2008-11-07 22:45 2,174,976 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-11-07 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-11-07 19:47 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\Yahoo!
2008-11-07 19:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-07 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-11-07 18:18 --------- d-----w c:\program files\Yahoo!
2008-10-27 21:39 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\Move Networks
2008-10-27 16:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 16:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 16:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 16:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-27 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-17 08:08 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-10 10:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 10:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 10:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-18 21:45 61,440 --sha-w c:\windows\system32\bunuwuru.dll
2008-09-18 21:45 61,440 --sha-w c:\windows\system32\sokinutu.dll
2008-09-18 21:45 61,440 --sha-w c:\windows\system32\tegiseme.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9c810182"="c:\windows\system32\seyohehu.dll" [2008-12-19 83121]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-10-25 17:48 1392640 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2007-07-25 14:25 393944 c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLUPDR]
--a------ 2007-02-21 23:38 140184 c:\program files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-05-28 16:14 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-06-13 17:21 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-06-13 17:21 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 02:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
--a------ 2008-02-22 23:46 87360 c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
--a------ 2008-02-22 23:46 468288 c:\program files\McAfee\Managed VirusScan\Agent\Splash.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 09:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-06-13 17:21 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 11:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-28 16:14 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2007-06-13 18:41 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-06-13 18:41 16132608 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R1 diskk;diskk;c:\windows\system32\drivers\diskk.sys [2008-12-18 86272]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2008-06-02 140184]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart [2008-05-28 169280]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
S4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-05-28 14144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e798be8-6e28-11dd-9a62-001e4c87ab26}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - TDSSSERV.SYS
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-12-19 c:\windows\Tasks\paclgcoo.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5090A199-DF7F-47A3-981D-FBA9C59122A3} - c:\windows\system32\ljJdayVn.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ljJBrOfC.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ljJBrOfC.dll
MSConfigStartUp-9c810182 - c:\windows\system32\mxlubjhp.dll
MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Felicia Thompson\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 13:15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSjywe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\seyohehu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-19 13:20:32 - machine was rebooted [Felicia Thompson]
ComboFix-quarantined-files.txt 2008-12-19 19:20:26

Pre-Run: 142,984,761,344 bytes free
Post-Run: 143,369,535,488 bytes free

316 --- E O F --- 2008-12-19 19:18:43

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 19 December 2008 - 07:47 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
=========================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
diskk


File::
c:\windows\system32\uhehoyes.ini
c:\windows\system32\drivers\diskk.sys
c:\windows\system32\drivers\core.cache.dsk
C:\windows\system32\geBtSLEX.dll
c:\windows\system32\bunuwuru.dll
c:\windows\system32\sokinutu.dll
c:\windows\system32\tegiseme.dll
c:\windows\Tasks\paclgcoo.job
c:\windows\system32\seyohehu.dll

Suspect::
c:\windows\is-2A2IC.exe
c:\windows\is-2A2IC.msg
c:\windows\is-2A2IC.lst

DirLook::
c:\windows\system32\cap2
c:\windows\system32\ain
c:\temp\REX81

Folder::
c:\temp\tn3


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 23 December 2008 - 05:01 PM

Hey Kahdah, Thanks again for all the help. Sorry this is a little late but i haven't been able to get to the office to the infected machine. Below are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:20 PM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\vtUnlLFY.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: vtUnlLFY - C:\WINDOWS\SYSTEM32\vtUnlLFY.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5026 bytes


ComboFix 08-12-18.03 - Felicia Thompson 2008-12-23 15:49:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1632 [GMT -6:00]
Running from: c:\documents and settings\Felicia Thompson\Desktop\ComboFix.bat.exe
Command switches used :: c:\documents and settings\Felicia Thompson\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\bunuwuru.dll
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\diskk.sys
c:\windows\system32\geBtSLEX.dll
c:\windows\system32\seyohehu.dll
c:\windows\system32\sokinutu.dll
c:\windows\system32\tegiseme.dll
c:\windows\system32\uhehoyes.ini
c:\windows\Tasks\paclgcoo.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\a.exe
c:\windows\system32\alog.txt
c:\windows\system32\bb1.dat
c:\windows\system32\bunuwuru.dll
c:\windows\system32\cookie1.dat
c:\windows\system32\cs.dat
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\diskk.sys
c:\windows\system32\geBtSLEX.dll
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\seyohehu.dll
c:\windows\system32\sokinutu.dll
c:\windows\system32\tb.dr
c:\windows\system32\tegiseme.dll
c:\windows\system32\uhehoyes.ini
c:\windows\Tasks\paclgcoo.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_DISKK
-------\Service_diskk


((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-22 15:51 . 2008-12-22 15:51 317,952 --a------ c:\windows\system32\ssqqrOiG.dll
2008-12-22 15:46 . 2008-12-22 15:46 51,200 --a------ c:\windows\system32\vtUnlLFY.dll
2008-12-22 15:46 . 2008-12-22 15:46 51,200 --a------ c:\windows\system32\fccbbyVN.dll
2008-12-22 15:40 . 2008-12-22 15:40 46,592 --a------ c:\windows\system32\nods32.dll
2008-12-22 15:40 . 2008-12-22 15:40 1 --a------ c:\windows\system32\za.dat
2008-12-19 13:26 . 2008-12-19 13:26 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Malwarebytes
2008-12-18 17:38 . 2008-12-18 17:38 <DIR> d-------- C:\rsit
2008-12-18 17:10 . 2008-12-18 17:10 685,056 --a------ c:\windows\is-2A2IC.exe
2008-12-18 17:10 . 2008-12-18 17:10 10,498 --a------ c:\windows\is-2A2IC.msg
2008-12-18 17:10 . 2008-12-18 17:10 422 --a------ c:\windows\is-2A2IC.lst
2008-12-18 17:03 . 2008-12-19 13:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 14:28 . 2008-12-18 14:28 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-18 14:24 . 2008-12-18 14:26 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-18 13:58 . 2008-12-18 13:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\windows\system32\cap2
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\windows\system32\ain
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\temp\REX81
2008-12-18 10:48 . 2008-12-23 15:50 <DIR> d-------- C:\Temp
2008-12-18 10:45 . 2008-12-18 10:45 <DIR> d-------- c:\program files\Windows Defender
2008-12-18 10:21 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Apple Computer
2008-12-18 10:21 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-18 10:21 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\program files\iTunes
2008-12-18 10:20 . 2008-12-18 10:20 <DIR> d-------- c:\program files\iPod
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\program files\QuickTime
2008-12-18 10:19 . 2008-12-18 10:19 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-18 10:18 . 2008-12-18 10:20 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-18 10:18 . 2008-12-18 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-18 10:04 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-18 10:04 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-08 11:20 . 2008-12-08 11:22 <DIR> d-------- c:\documents and settings\Felicia Thompson\dwhelper
2008-12-05 16:54 . 2008-12-05 16:54 <DIR> d-------- c:\documents and settings\Nita Thompson\Application Data\Yahoo!
2008-12-04 19:11 . 2008-12-04 19:11 <DIR> d-------- c:\documents and settings\Jason Thompson\Application Data\Yahoo!
2008-12-02 16:03 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2008-12-02 14:57 . 2008-12-02 16:03 <DIR> d--h----- c:\windows\msdownld.tmp
2008-12-02 14:57 . 2008-12-02 14:57 <DIR> d-------- c:\windows\Logs
2008-12-02 13:49 . 2008-12-18 11:59 <DIR> d-------- c:\program files\Full Tilt Poker
2008-12-02 13:46 . 2008-12-02 13:46 <DIR> d-------- c:\program files\GamesCampus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 20:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-10 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-02 19:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 19:12 --------- d-----w c:\program files\Yahoo! Games
2008-11-13 19:12 --------- d-----w c:\program files\YouSendIt
2008-11-13 19:05 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\YouSendIt
2008-11-07 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-11-07 19:47 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\Yahoo!
2008-11-07 19:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-07 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-11-07 18:18 --------- d-----w c:\program files\Yahoo!
2008-10-27 21:39 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\Move Networks
2008-10-27 15:12 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\temp\REX81 ----

2008-12-18 10:48 1858 --a------ c:\temp\REX81\BDF.log

---- Directory of c:\windows\system32\ain ----


---- Directory of c:\windows\system32\cap2 ----

2008-11-20 23:26 144896 --a------ c:\windows\system32\cap2\JV21CA9.exe


((((((((((((((((((((((((((((( snapshot@2008-12-19_13.18.49.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 08:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-23 21:59:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-23 21:59:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-23 21:59:19 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-17 08:08:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-09-06 05:30:42 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
+ 2008-09-06 05:29:58 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-06 05:30:06 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
- 2008-10-17 08:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-12-19 19:04:14 81,586 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-23 21:51:48 81,586 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-19 19:04:14 452,348 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-23 21:51:48 452,348 ----a-w c:\windows\system32\perfh009.dat
+ 2008-09-06 05:30:42 241,704 ------w c:\windows\system32\WgaLogon.dll
+ 2008-09-06 05:29:58 917,032 ------w c:\windows\system32\WgaTray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-22 15:46 51200 --a------ c:\windows\system32\vtUnlLFY.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\vtUnlLFY.dll" [2008-12-22 51200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnlLFY]
2008-12-22 15:46 51200 c:\windows\system32\vtUnlLFY.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-10-25 17:48 1392640 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2007-07-25 14:25 393944 c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLUPDR]
--a------ 2007-02-21 23:38 140184 c:\program files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-05-28 16:14 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-06-13 17:21 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-06-13 17:21 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 02:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
--a------ 2008-02-22 23:46 87360 c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
--a------ 2008-02-22 23:46 468288 c:\program files\McAfee\Managed VirusScan\Agent\Splash.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 09:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-06-13 17:21 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 11:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-28 16:14 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2007-06-13 18:41 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-06-13 18:41 16132608 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2008-06-02 140184]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart [2008-05-28 169280]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
S4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-05-28 14144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e798be8-6e28-11dd-9a62-001e4c87ab26}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - TDSSSERV.SYS
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C} - nods32.dll
HKLM-Run-9c810182 - c:\windows\system32\seyohehu.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Felicia Thompson\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-23 15:59:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSjywe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\vtUnlLFY.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-23 16:01:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-23 22:01:34
ComboFix2.txt 2008-12-19 19:20:36

Pre-Run: 143,432,761,344 bytes free
Post-Run: 143,426,187,264 bytes free

291 --- E O F --- 2008-12-22 15:47:08

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 23 December 2008 - 06:48 PM

No problem.

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
TDSSSERV.SYS

File::
c:\windows\system32\ssqqrOiG.dll
c:\windows\system32\vtUnlLFY.dll
c:\windows\system32\fccbbyVN.dll
c:\windows\system32\nods32.dll

Folder::
c:\windows\system32\cap2
c:\windows\system32\ain

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnlLFY]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 05 January 2009 - 11:59 AM

ComboFix 08-12-18.03 - Felicia Thompson 2009-01-05 10:51:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1605 [GMT -6:00]
Running from: c:\documents and settings\Felicia Thompson\Desktop\ComboFix.bat.exe
Command switches used :: c:\documents and settings\Felicia Thompson\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\system32\fccbbyVN.dll
c:\windows\system32\nods32.dll
c:\windows\system32\ssqqrOiG.dll
c:\windows\system32\vtUnlLFY.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ain
c:\windows\system32\cap2
c:\windows\system32\cap2\JV21CA9.exe
c:\windows\system32\fccbbyVN.dll
c:\windows\system32\nods32.dll
c:\windows\system32\ssqqrOiG.dll
c:\windows\system32\vtUnlLFY.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-05 09:50 . 2009-01-05 10:55 1,307,382 ---hs---- c:\windows\system32\ahcrpicp.ini
2009-01-05 09:50 . 2009-01-05 09:50 86,528 --a------ c:\windows\system32\pciprcha.dll
2009-01-05 09:48 . 2009-01-05 09:48 138,240 --a------ c:\windows\system32\pirxfw.dll
2009-01-05 09:48 . 2009-01-05 09:48 138,240 --a------ c:\windows\system32\ielygmut.dll
2009-01-05 09:47 . 2009-01-05 09:47 316,928 --a------ c:\windows\system32\ljJBtspQ.dll
2009-01-05 09:47 . 2009-01-05 10:17 3,227 --ahs---- c:\windows\system32\QpstBJjl.ini2
2009-01-05 09:47 . 2009-01-05 10:17 3,227 --ahs---- c:\windows\system32\QpstBJjl.ini
2009-01-05 09:42 . 2009-01-05 09:43 1,307,382 ---hs---- c:\windows\system32\fmvtuabv.ini
2009-01-05 09:42 . 2009-01-05 09:42 86,528 --a------ c:\windows\system32\vbautvmf.dll
2009-01-05 09:40 . 2009-01-05 09:40 138,240 --a------ c:\windows\system32\srmyid.dll
2009-01-05 09:40 . 2009-01-05 09:40 138,240 --a------ c:\windows\system32\mfveuxqt.dll
2009-01-02 18:23 . 2009-01-05 09:40 1,307,382 ---hs---- c:\windows\system32\ppuxoxie.ini
2009-01-02 18:20 . 2009-01-02 18:20 316,928 --a------ c:\windows\system32\pmnooLFu.dll
2009-01-02 18:20 . 2009-01-02 18:20 136,192 --a------ c:\windows\system32\wgmjlo.dll
2009-01-02 18:20 . 2009-01-02 18:20 136,192 --a------ c:\windows\system32\audmtcdy.dll
2009-01-02 18:20 . 2009-01-05 10:54 2,740 --ahs---- c:\windows\system32\uFLoonmp.ini2
2009-01-02 18:20 . 2009-01-05 10:55 2,740 --ahs---- c:\windows\system32\uFLoonmp.ini
2009-01-02 18:14 . 2009-01-02 18:14 72,192 --a------ c:\windows\system32\tuvUOfcd.dll
2008-12-22 15:40 . 2008-12-22 15:40 1 --a------ c:\windows\system32\za.dat
2008-12-19 13:26 . 2008-12-19 13:26 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Malwarebytes
2008-12-18 17:38 . 2008-12-18 17:38 <DIR> d-------- C:\rsit
2008-12-18 17:10 . 2008-12-18 17:10 685,056 --a------ c:\windows\is-2A2IC.exe
2008-12-18 17:10 . 2008-12-18 17:10 10,498 --a------ c:\windows\is-2A2IC.msg
2008-12-18 17:10 . 2008-12-18 17:10 422 --a------ c:\windows\is-2A2IC.lst
2008-12-18 17:03 . 2008-12-19 13:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 14:28 . 2008-12-18 14:28 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-18 14:24 . 2008-12-18 14:26 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-18 13:58 . 2008-12-18 13:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\temp\REX81
2008-12-18 10:48 . 2008-12-23 15:50 <DIR> d-------- C:\Temp
2008-12-18 10:45 . 2008-12-18 10:45 <DIR> d-------- c:\program files\Windows Defender
2008-12-18 10:21 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Apple Computer
2008-12-18 10:21 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-18 10:21 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\program files\iTunes
2008-12-18 10:20 . 2008-12-18 10:20 <DIR> d-------- c:\program files\iPod
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\program files\QuickTime
2008-12-18 10:19 . 2008-12-18 10:19 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-18 10:18 . 2008-12-18 10:20 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-18 10:18 . 2008-12-18 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-18 10:04 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-18 10:04 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-08 11:20 . 2008-12-08 11:22 <DIR> d-------- c:\documents and settings\Felicia Thompson\dwhelper
2008-12-05 16:54 . 2008-12-05 16:54 <DIR> d-------- c:\documents and settings\Nita Thompson\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 20:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 17:59 --------- d-----w c:\program files\Full Tilt Poker
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-10 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 01:11 --------- d-----w c:\documents and settings\Jason Thompson\Application Data\Yahoo!
2008-12-02 19:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 19:46 --------- d-----w c:\program files\GamesCampus
2008-11-20 19:12 --------- d-----w c:\program files\Yahoo! Games
2008-11-13 19:12 --------- d-----w c:\program files\YouSendIt
2008-11-13 19:05 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\YouSendIt
2008-11-07 22:45 2,174,976 ------w c:\windows\system32\dllcache\WMVCore.dll
2008-11-07 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-11-07 19:47 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\Yahoo!
2008-11-07 19:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-07 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-11-07 18:18 --------- d-----w c:\program files\Yahoo!
2008-10-27 16:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 16:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 16:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 16:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-10 10:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 10:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 10:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-09-26 20:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-19_13.18.49.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 08:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-05 16:53:17 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-05 16:53:17 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-05 16:53:17 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-06 05:30:42 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
+ 2008-09-06 05:29:58 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-06 05:30:06 1,480,232 ------w c:\windows\system32\LegitCheckControl.dll
- 2008-10-17 08:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-12-19 19:04:14 81,586 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-05 16:34:44 81,586 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-19 19:04:14 452,348 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-05 16:34:44 452,348 ----a-w c:\windows\system32\perfh009.dat
+ 2008-09-06 05:30:42 241,704 ------w c:\windows\system32\WgaLogon.dll
+ 2008-09-06 05:29:58 917,032 ------w c:\windows\system32\WgaTray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AE21C47-99B5-4AE9-9941-095FB80EB8FB}]
2009-01-02 18:20 316928 --a------ c:\windows\system32\pmnooLFu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bde185d4-fb84-4b39-975a-3bda578683f5}]
2009-01-05 09:48 138240 --a------ c:\windows\system32\pirxfw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"9c810182"="c:\windows\system32\pciprcha.dll" [2009-01-05 86528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pirxfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\pmnooLFu

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-10-25 17:48 1392640 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2007-07-25 14:25 393944 c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLUPDR]
--a------ 2007-02-21 23:38 140184 c:\program files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-05-28 16:14 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-06-13 17:21 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-06-13 17:21 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 02:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
--a------ 2008-02-22 23:46 87360 c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
--a------ 2008-02-22 23:46 468288 c:\program files\McAfee\Managed VirusScan\Agent\Splash.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 09:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-06-13 17:21 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 11:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-28 16:14 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2007-06-13 18:41 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-06-13 18:41 16132608 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2008-06-02 140184]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;"c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" /ServiceStart [2008-05-28 169280]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
S4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-05-28 14144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e798be8-6e28-11dd-9a62-001e4c87ab26}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-05 c:\windows\Tasks\ermypkiw.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2009-01-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Felicia Thompson\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 10:54:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSjywe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\pmnooLFu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
.
**************************************************************************
.
Completion time: 2009-01-05 10:56:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 16:56:22
ComboFix2.txt 2008-12-23 22:01:39
ComboFix3.txt 2008-12-19 19:20:36

Pre-Run: 143,571,050,496 bytes free
Post-Run: 143,548,907,520 bytes free

309 --- E O F --- 2009-01-03 00:18:09





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:21 AM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [9c810182] rundll32.exe "C:\WINDOWS\system32\pciprcha.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: pirxfw.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5011 bytes

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 05 January 2009 - 08:26 PM

Hi please delete your version of Combofix and then Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 06 January 2009 - 03:08 PM

Here's the new combofix log

ComboFix 09-01-05.05 - Felicia Thompson 2009-01-06 13:58:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1639 [GMT -6:00]
Running from: c:\documents and settings\Felicia Thompson\Desktop\ComboFix.exe
AV: Total Protection Service *On-access scanning disabled* (Updated)
FW: Total Protection Service *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Protect\svhost.exe
c:\windows\system32\ahcrpicp.ini
c:\windows\system32\audmtcdy.dll
c:\windows\system32\dleigl.dll
c:\windows\system32\drivers\TDSSjywe.sys
c:\windows\system32\fmvtuabv.ini
c:\windows\system32\ghnlgbcy.dll
c:\windows\system32\hjdmvppw.ini
c:\windows\system32\ielygmut.dll
c:\windows\system32\mfveuxqt.dll
c:\windows\system32\pirxfw.dll
c:\windows\system32\pmnooLFu.dll
c:\windows\system32\ppuxoxie.ini
c:\windows\system32\QpstBJjl.ini
c:\windows\system32\QpstBJjl.ini2
c:\windows\system32\srmyid.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSkkaf.log
c:\windows\system32\TDSSmtpw.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnpur.dll
c:\windows\system32\TDSSoitu.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSseyf.log
c:\windows\system32\TDSSvoqm.dll
c:\windows\system32\uFLoonmp.ini
c:\windows\system32\uFLoonmp.ini2
c:\windows\system32\vbautvmf.dll
c:\windows\system32\wgmjlo.dll
c:\windows\system32\wppvmdjh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-06 13:30 . 2009-01-06 13:34 <DIR> d-------- C:\ComboFix.bat
2009-01-05 09:47 . 2009-01-05 09:47 316,928 --a------ c:\windows\system32\ljJBtspQ.dll
2009-01-02 18:14 . 2009-01-02 18:14 72,192 --a------ c:\windows\system32\tuvUOfcd.dll
2008-12-22 15:40 . 2008-12-22 15:40 1 --a------ c:\windows\system32\za.dat
2008-12-19 13:26 . 2008-12-19 13:26 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Malwarebytes
2008-12-18 17:38 . 2008-12-18 17:38 <DIR> d-------- C:\rsit
2008-12-18 17:10 . 2008-12-18 17:10 685,056 --a------ c:\windows\is-2A2IC.exe
2008-12-18 17:10 . 2008-12-18 17:10 10,498 --a------ c:\windows\is-2A2IC.msg
2008-12-18 17:10 . 2008-12-18 17:10 422 --a------ c:\windows\is-2A2IC.lst
2008-12-18 17:03 . 2008-12-19 13:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-18 14:28 . 2008-12-18 14:28 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-18 14:24 . 2008-12-18 14:26 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-18 13:58 . 2008-12-18 13:58 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 10:48 . 2008-12-18 10:48 <DIR> d-------- c:\temp\REX81
2008-12-18 10:48 . 2008-12-23 15:50 <DIR> d-------- C:\Temp
2008-12-18 10:45 . 2008-12-18 10:45 <DIR> d-------- c:\program files\Windows Defender
2008-12-18 10:21 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\Felicia Thompson\Application Data\Apple Computer
2008-12-18 10:21 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-18 10:21 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\program files\iTunes
2008-12-18 10:20 . 2008-12-18 10:20 <DIR> d-------- c:\program files\iPod
2008-12-18 10:20 . 2008-12-18 10:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\program files\QuickTime
2008-12-18 10:19 . 2008-12-18 10:19 <DIR> d-------- c:\program files\Apple Software Update
2008-12-18 10:19 . 2008-12-18 10:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-18 10:18 . 2008-12-18 10:20 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-18 10:18 . 2008-12-18 10:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-18 10:04 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 10:04 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2008-12-18 10:04 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-08 11:20 . 2008-12-08 11:22 <DIR> d-------- c:\documents and settings\Felicia Thompson\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 20:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 17:59 --------- d-----w c:\program files\Full Tilt Poker
2008-12-10 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 22:54 --------- d-----w c:\documents and settings\Nita Thompson\Application Data\Yahoo!
2008-12-05 01:11 --------- d-----w c:\documents and settings\Jason Thompson\Application Data\Yahoo!
2008-12-02 19:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 19:46 --------- d-----w c:\program files\GamesCampus
2008-11-20 19:12 --------- d-----w c:\program files\Yahoo! Games
2008-11-13 19:12 --------- d-----w c:\program files\YouSendIt
2008-11-13 19:05 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\YouSendIt
2008-11-07 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2008-11-07 19:47 --------- d-----w c:\documents and settings\Felicia Thompson\Application Data\Yahoo!
2008-11-07 19:47 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-07 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-11-07 18:18 --------- d-----w c:\program files\Yahoo!
2008-09-26 20:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-19_13.18.49.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 08:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-06 19:15:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-06 19:15:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-19 19:15:35 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-06 19:15:15 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-17 08:08:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
+ 2008-09-06 05:30:42 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
+ 2008-09-06 05:29:58 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
+ 2008-09-06 05:30:06 1,480,232 ----a-w c:\windows\system32\LegitCheckControl.dll
- 2008-10-17 08:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-12-19 19:04:14 81,586 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-06 20:01:23 81,586 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-19 19:04:14 452,348 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-06 20:01:23 452,348 ----a-w c:\windows\system32\perfh009.dat
+ 2008-09-06 05:30:42 241,704 ----a-w c:\windows\system32\WgaLogon.dll
+ 2008-09-06 05:29:58 917,032 ----a-w c:\windows\system32\WgaTray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=dleigl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2006-10-25 17:48 1392640 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
--a------ 2007-07-25 14:25 393944 c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLUPDR]
--a------ 2007-02-21 23:38 140184 c:\program files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-05-28 16:14 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-06-13 17:21 162584 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-06-13 17:21 142104 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 02:40 218032 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
--a------ 2008-02-22 23:46 87360 c:\program files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
--a------ 2008-02-22 23:46 468288 c:\program files\McAfee\Managed VirusScan\Agent\Splash.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 09:56 124200 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-06-13 17:21 138008 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 11:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-28 16:14 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2007-06-13 18:41 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-06-13 18:41 16132608 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R4 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [2008-06-02 140184]
R4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-05-28 169280]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S4 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2008-05-28 14144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e798be8-6e28-11dd-9a62-001e4c87ab26}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-05 c:\windows\Tasks\ermypkiw.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

2009-01-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4c368c00-64db-46dd-83e9-07117aa0e21d} - c:\windows\system32\dleigl.dll
BHO-{7580F1E7-BF96-48BF-A2EC-2996B6597DC5} - c:\windows\system32\pmnooLFu.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Felicia Thompson\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 14:03:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-01-06 14:06:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 20:06:39
ComboFix2.txt 2009-01-06 19:34:18
ComboFix3.txt 2009-01-05 16:56:31
ComboFix4.txt 2008-12-23 22:01:39
ComboFix5.txt 2009-01-06 19:51:40

Pre-Run: 143,581,327,360 bytes free
Post-Run: 143,559,335,936 bytes free

278 --- E O F --- 2009-01-03 00:18:09

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 07 January 2009 - 08:14 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\ljJBtspQ.dll
    c:\windows\system32\tuvUOfcd.dll
    c:\windows\system32\za.dat
    c:\temp\REX81
    c:\windows\Tasks\ermypkiw.job
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:
  • Ot Move it log
  • Malware Bytes log
  • New Rsit log

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 07 January 2009 - 11:38 AM

Ok, here's the new logs.


OTMoveIt3:

========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\ljJBtspQ.dll
c:\windows\system32\ljJBtspQ.dll NOT unregistered.
c:\windows\system32\ljJBtspQ.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\tuvUOfcd.dll
c:\windows\system32\tuvUOfcd.dll NOT unregistered.
c:\windows\system32\tuvUOfcd.dll moved successfully.
c:\windows\system32\za.dat moved successfully.
c:\temp\REX81 moved successfully.
c:\windows\Tasks\ermypkiw.job moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\FELICI~1\LOCALS~1\Temp\etilqs_cmUSegiRjGpwTNKoOkQy scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_dOalKQ88ScAbXws scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_YcQM4pYIE4JcyiB scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01072009_102654

Files moved on Reboot...
File C:\DOCUME~1\FELICI~1\LOCALS~1\Temp\etilqs_cmUSegiRjGpwTNKoOkQy not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\mcafee_dOalKQ88ScAbXws not found!
File C:\WINDOWS\temp\mcafee_YcQM4pYIE4JcyiB not found!
C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Felicia Thompson\Local Settings\Application Data\Mozilla\Firefox\Profiles\q1l81w6w.default\urlclassifier3.sqlite moved successfully.

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

1/7/2009 10:38:01 AM
mbam-log-2009-01-07 (10-38-01).txt

Scan type: Quick Scan
Objects scanned: 64988
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a11398eb-b650-4f71-ba17-59c8bfb0f5d6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.


MBAM:

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AV9 (Rogue.Antivirus2009) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AV9\av2009.exe.tmp (Rogue.Antivirus2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\zengcnefgl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of random's system information tool 1.05 (written by random/random)
Run by Felicia Thompson at 2009-01-07 10:41:43
Microsoft Windows XP Professional Service Pack 3
System drive C: has 137 GB (90%) free of 153 GB
Total RAM: 2037 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:47 AM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Felicia Thompson\Desktop\RSIT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Felicia Thompson.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: dleigl.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5196 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 803864]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"dellsupportcenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2008-08-13 206064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\WINDOWS\ALCMTR.EXE [2007-06-13 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2006-10-25 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLPSP]
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [2007-07-25 393944]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLUPDR]
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE [2007-02-21 140184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-28 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2007-06-13 162584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2007-06-13 142104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Managed Services Tray]
C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe [2008-02-22 87360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MVS Splash]
C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe [2008-02-22 468288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2007-09-17 124200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2007-06-13 138008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2007-06-13 16132608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2005-11-10 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-28 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-05-28 7168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="dleigl.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-13 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe"="C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent"
"C:\Program Files\att-nap\McciBrowser.exe"="C:\Program Files\att-nap\McciBrowser.exe:*:Enabled:motivebrowser.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Dell Network Assistant\ezi_hnm2.exe"="C:\Program Files\Dell Network Assistant\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe"="C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e798be8-6e28-11dd-9a62-001e4c87ab26}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 2 months======

2009-01-07 10:30:46 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-07 10:26:54 ----D---- C:\_OTMoveIt
2009-01-06 14:08:13 ----SHD---- C:\RECYCLER
2009-01-06 14:06:44 ----D---- C:\WINDOWS\temp
2009-01-06 14:06:43 ----A---- C:\ComboFix.txt
2009-01-06 13:51:36 ----A---- C:\WINDOWS\zip.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\VFIND.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\SWSC.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\SWREG.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\sed.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\grep.exe
2009-01-06 13:51:36 ----A---- C:\WINDOWS\fdsv.exe
2009-01-06 13:30:59 ----D---- C:\ComboFix.bat
2008-12-19 13:26:50 ----D---- C:\Documents and Settings\Felicia Thompson\Application Data\Malwarebytes
2008-12-19 12:03:52 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-19 12:03:30 ----D---- C:\WINDOWS\ERDNT
2008-12-19 12:03:30 ----D---- C:\Qoobox
2008-12-18 17:38:26 ----D---- C:\rsit
2008-12-18 17:10:56 ----A---- C:\WINDOWS\is-2A2IC.exe
2008-12-18 17:03:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-18 14:28:23 ----HD---- C:\WINDOWS\system32\GroupPolicy
2008-12-18 14:24:51 ----D---- C:\WINDOWS\system32\NtmsData
2008-12-18 14:00:01 ----D---- C:\WINDOWS\pss
2008-12-18 13:58:27 ----D---- C:\Program Files\Trend Micro
2008-12-18 13:57:05 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-18 10:55:51 ----D---- C:\WINDOWS\system32\appmgmt
2008-12-18 10:55:47 ----SHD---- C:\Config.Msi
2008-12-18 10:48:36 ----D---- C:\Temp
2008-12-18 10:45:41 ----D---- C:\Program Files\Windows Defender
2008-12-18 10:39:20 ----A---- C:\WINDOWS\system32\97a2c5fc-.txt
2008-12-18 10:21:27 ----D---- C:\Documents and Settings\Felicia Thompson\Application Data\Apple Computer
2008-12-18 10:21:16 ----A---- C:\WINDOWS\system32\GEARAspi.dll
2008-12-18 10:20:51 ----D---- C:\Program Files\iPod
2008-12-18 10:20:47 ----D---- C:\Program Files\iTunes
2008-12-18 10:20:47 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-18 10:19:39 ----D---- C:\Program Files\QuickTime
2008-12-18 10:19:37 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-12-18 10:19:20 ----D---- C:\Program Files\Apple Software Update
2008-12-18 10:18:52 ----D---- C:\Program Files\Common Files\Apple
2008-12-18 10:18:52 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2008-12-18 10:04:48 ----A---- C:\WINDOWS\system32\ptpusb.dll
2008-12-18 10:04:33 ----A---- C:\WINDOWS\system32\ptpusd.dll
2008-12-10 17:20:20 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 17:19:36 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 17:19:11 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 17:19:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-02 16:04:20 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2008-12-02 16:04:20 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2008-12-02 16:04:20 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2008-12-02 16:04:19 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2008-12-02 16:04:19 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2008-12-02 16:04:18 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2008-12-02 16:04:18 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2008-12-02 16:04:17 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2008-12-02 16:04:17 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2008-12-02 16:04:16 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2008-12-02 16:04:16 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2008-12-02 16:04:16 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2008-12-02 16:04:15 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2008-12-02 16:04:14 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2008-12-02 16:04:14 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2008-12-02 16:04:14 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2008-12-02 16:04:13 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2008-12-02 16:04:12 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2008-12-02 16:04:12 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2008-12-02 16:04:12 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2008-12-02 16:04:11 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2008-12-02 16:04:10 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2008-12-02 16:04:10 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2008-12-02 16:04:09 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2008-12-02 16:04:09 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2008-12-02 16:04:08 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2008-12-02 16:04:08 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2008-12-02 16:04:06 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2008-12-02 16:04:06 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2008-12-02 16:04:05 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2008-12-02 16:04:04 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2008-12-02 16:04:04 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2008-12-02 16:04:04 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2008-12-02 16:04:03 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2008-12-02 16:04:02 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2008-12-02 16:04:02 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2008-12-02 16:04:01 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2008-12-02 16:04:01 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2008-12-02 16:04:00 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2008-12-02 16:04:00 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2008-12-02 16:03:59 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2008-12-02 16:03:58 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2008-12-02 16:03:58 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2008-12-02 16:03:57 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2008-12-02 16:03:57 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2008-12-02 16:03:56 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2008-12-02 16:03:56 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2008-12-02 16:03:55 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2008-12-02 16:03:55 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2008-12-02 16:03:55 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2008-12-02 16:03:54 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2008-12-02 16:03:54 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2008-12-02 16:03:53 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2008-12-02 16:03:53 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2008-12-02 16:03:52 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2008-12-02 16:03:49 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2008-12-02 16:03:48 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2008-12-02 16:03:48 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2008-12-02 16:03:48 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2008-12-02 16:03:47 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2008-12-02 16:03:47 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2008-12-02 16:03:46 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2008-12-02 16:03:46 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2008-12-02 16:03:45 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2008-12-02 16:03:45 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2008-12-02 15:10:30 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-12-02 14:57:28 ----HD---- C:\WINDOWS\msdownld.tmp
2008-12-02 14:57:23 ----D---- C:\WINDOWS\Logs
2008-12-02 13:49:27 ----D---- C:\Program Files\Full Tilt Poker
2008-12-02 13:46:21 ----D---- C:\Program Files\GamesCampus
2008-11-13 13:05:32 ----D---- C:\Documents and Settings\Felicia Thompson\Application Data\YouSendIt
2008-11-13 13:05:27 ----D---- C:\Program Files\YouSendIt
2008-11-12 18:07:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 18:07:39 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 18:07:27 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 2 months======

2009-01-07 10:40:55 ----D---- C:\Program Files\Mozilla Firefox
2009-01-07 10:40:36 ----D---- C:\WINDOWS
2009-01-07 10:40:06 ----RD---- C:\Program Files
2009-01-07 10:40:06 ----D---- C:\WINDOWS\system32\drivers
2009-01-07 10:39:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-07 10:39:28 ----D---- C:\WINDOWS\Prefetch
2009-01-07 10:32:03 ----D---- C:\WINDOWS\system32
2009-01-07 10:32:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-07 10:30:54 ----SD---- C:\WINDOWS\Tasks
2009-01-06 15:02:15 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-06 14:03:54 ----A---- C:\WINDOWS\system.ini
2009-01-06 14:01:18 ----D---- C:\WINDOWS\system32\config
2009-01-06 13:59:56 ----D---- C:\WINDOWS\AppPatch
2009-01-06 13:59:56 ----D---- C:\Program Files\Common Files
2008-12-22 14:02:58 ----SD---- C:\Documents and Settings\Felicia Thompson\Application Data\Microsoft
2008-12-22 09:46:27 ----HD---- C:\WINDOWS\inf
2008-12-22 09:46:21 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-19 13:18:13 ----D---- C:\WINDOWS\ie7updates
2008-12-19 13:17:36 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-18 14:38:43 ----SHD---- C:\System Volume Information
2008-12-18 14:26:05 ----D---- C:\WINDOWS\repair
2008-12-18 14:25:52 ----D---- C:\WINDOWS\Registration
2008-12-18 14:13:32 ----RASH---- C:\boot.ini
2008-12-18 14:13:32 ----A---- C:\WINDOWS\win.ini
2008-12-18 14:13:17 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-18 11:02:37 ----SHD---- C:\WINDOWS\Installer
2008-12-18 11:02:22 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-12-18 10:50:52 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-10 17:20:49 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-10 17:20:24 ----A---- C:\WINDOWS\imsins.BAK
2008-12-10 17:20:09 ----D---- C:\Program Files\Internet Explorer
2008-12-05 20:00:13 ----D---- C:\WINDOWS\Help
2008-12-05 16:54:45 ----A---- C:\WINDOWS\OEWABLog.txt
2008-12-02 16:04:23 ----D---- C:\WINDOWS\system32\DirectX
2008-12-02 16:03:52 ----RSD---- C:\WINDOWS\assembly
2008-12-02 13:49:27 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-01 08:47:44 ----D---- C:\Program Files\Adobe
2008-11-20 13:12:15 ----D---- C:\Program Files\Yahoo! Games

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-12-01 201320]
R1 mfetdik;McAfee Inc. mfetdik; C:\WINDOWS\system32\drivers\mfetdik.sys [2007-12-01 55016]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-03-02 109608]
R2 CSS DVP;CSS DVP; C:\WINDOWS\system32\DRIVERS\css-dvp.sys [2006-01-20 783984]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2006-10-11 604928]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-06-26 254872]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-13 5760096]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-13 4403712]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 MfeAVFK;McAfee Inc. MfeAVFK; C:\WINDOWS\system32\drivers\MfeAVFK.sys [2007-12-01 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK; C:\WINDOWS\system32\drivers\MfeBOPK.sys [2007-12-01 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK; C:\WINDOWS\system32\drivers\MfeRKDK.sys [2007-12-01 33832]
S3 MREMP50;MREMP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS []
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 DLPWD;Dell Printer Status Watcher; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [2006-12-07 95128]
R2 DLSDB;Dell Printer Status Database; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
R2 dvpapi;DvpApi; C:\Program Files\Common Files\Command Software\dvpapi.exe [2006-01-20 142416]
R2 hnmsvc;Advanced Networking Service; C:\Program Files\Dell Network Assistant\hnm_svc.exe [2007-05-25 112176]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service; C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe [2007-02-13 540776]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service; C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2008-02-22 169280]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2006-10-25 20480]
R3 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-05-23 841256]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-28 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 138168]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 EngineServer;EngineServer; C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2007-12-01 14144]
S4 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [2008-01-28 303104]
S4 McShield;McShield; C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe [2007-12-01 144704]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
S4 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]

-----------------EOF-----------------

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 07 January 2009 - 07:45 PM

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\WINDOWS\is-2A2IC.exe
    C:\WINDOWS\system32\97a2c5fc-.txt
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"="dleigl.dll"
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
AFter that post that log and a new Hijackthis log and let me know how it's running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 09 January 2009 - 12:02 PM

Here are the new logs. The machine seems to be operating normally now, I haven't had any strange popups or mcafee alerts int he past couple of days.

========== FILES ==========
C:\WINDOWS\is-2A2IC.exe moved successfully.
C:\WINDOWS\system32\97a2c5fc-.txt moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"dleigl.dll" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01092009_110236


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:15 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: dleigl.dll
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5103 bytes

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:59 PM

Posted 09 January 2009 - 09:23 PM

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to this entry:

O20 - AppInit_DLLs: dleigl.dll


Now click on Fix Checked and then close Hijackthis.
=================================
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
======================
Delete\uninstall anything else that we have used.

Including this folder C:\Rsit

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 ssthomps

ssthomps
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:06:59 PM

Posted 12 January 2009 - 11:37 AM

Thanks for all your help. I have finished completing the final steps and my computer is running smoothly. It's hard to find good people these days and I'm glad I found some. I will continue to be a part of this community.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users