Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Trojan Removal Caused Major Problems


  • Please log in to reply
4 replies to this topic

#1 scott4885

scott4885

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 31 December 2008 - 03:18 AM

***NOTE: I MEANT TO SAY THIS WAS "VUNDOFIX" not "VIRTUMONDE".

Hello. Long story short. I was downloading something from rapidshare and got a virus. I ran HJT and deleted a few nasty things then ran Malwarebytes and deleted a bunch more - but the trojans kept coming back. Somewhere along the lines (after more virus scans with Malwarebytes and HJT in safe mode), I am now unable to do much of anything with the machine. Here are the things that happen:

1) Can't boot normally - blue screen.
2) Can boot in safe mode. But, I get a constant "XXX.xx - bad image" Error says: The application or DLL globalroot\systemroot\system32\senekacwjekqdm.dll is not a valid windows image. Please check this against your installation diskette.

Each time I click "OK" I get a new error - it is usually the same error message but the window has a different header...sometimes cmd.exe - bad image, sometimes ssmypics.scr bad image, smitfraudfix.exe - bad image, etc.

Basically, everything I try to do throws this message. The senekacwjeckqdm file was something malwarebytes caught originally and i destroyed in one of my first scans. It says it is the virtumonde trojan.

3) Next, I sometimes get a DCOM service launcher has terminated error and it counts down from 60 and shuts down the machine. This typically happens about 15 minutes into a malwarebytes scan in safe mode and I can't ever delete infected objects.
4) Finally, I am unable to do much of anything in regards to spyware. It seems the error in #2 limits me in installing programs. I can run HJT and Malwarebytes (although it crashes - see #3). I can't run smitfraudfix, combofix, or AVG.

Please help. I'm stumped. Thanks.

Here are the HJT logs:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:09:51, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070127
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070127
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://ntserver/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199854302640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1213736555515
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://xtra.lionsharemarketing.com/Remote/msrdp.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv.view22.com/view22/app/view22rte.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lionshare.local
O17 - HKLM\Software\..\Telephony: DomainName = lionshare.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lionshare.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NeatWorks Database Controller (NeatWorksDatabaseController) - The Neat Company - C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10497 bytes

Edited by scott4885, 31 December 2008 - 02:19 PM.


BC AdBot (Login to Remove)

 


#2 scott4885

scott4885
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 01 January 2009 - 05:23 PM

Can anyone help or comment on this? I am basically unable to use the computer - it gives me the blue screen of death everytime I load - something about the Driver_IRQL_NOT_LESS_OR_EQUAL. It tells me to disable BIOS memory options like caching or shadowing but I can't find those in the BIOS. System Retore points are non-existent even though it is turned on. The same "Bad Image" error is thrown even in safe mode. I can get to the login screen in normal boot mode but after typing un and pw, it gives me the BSOD.

Thanks in advance. Any help would be much appreciated.

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:21 AM

Posted 01 January 2009 - 05:56 PM

Hello Scott4885 and welcome to BleepingComputer,

I understand you can still boot in safe mode with network support ?
Please take these steps while in safe mode :

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 scott4885

scott4885
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 02 January 2009 - 12:33 AM

OK, thanks for the reply. Here is what I did (before the response and after...I'm typing details for anyone who may follow after me with the problem).

1) In safe mode I disabled several files that were loading at startup by using msconfig. They were NVCPL, NVCPLDAEMON, etc - they seemed to be disquised as NVidia files but are actually part of the W32.spybot.worm (I found this on the internet). They had Rundll32 in there description. This allowed me to get rid of the blue screen of death and boot into normal mode.

2) Then, I was able to install and run SUPERantiSpyware - this program found 20 infected files and registry settings. I was getting zero infected files when running Malawarebytes...so it was good to see another infection being found. I also turned off system restore points before doing this.

3) Deleting these didn't seem to help much. I then ran combofix and as it was finishing, I saw your reply. So, attached is the log. I noticed after Combofix booted the second time I no longer had the 'Bad Image' error. Also, it found 4 files - all that started with "Seneka" - the same beginning to the file the "Bad Image" error was referencing (see my first post).

Here is my combofix log. I'm going to start using my computer now and see how it works:

ComboFix 08-12-31.01 - LionShare 2009-01-01 23:15:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.682 [GMT -6:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LionShare\Application Data\inst.exe
c:\documents and settings\LionShare\Application Data\MBSDebugPlugin6086.dll
c:\documents and settings\LionShare\Application Data\MBSFolderitemsPlugin6086.dll
c:\documents and settings\LionShare\Application Data\MBSIconPlugin6086.dll
c:\documents and settings\LionShare\Application Data\MBSMainPlugin6086.dll
c:\documents and settings\LionShare\Application Data\MBSProcessPlugin6087.dll
c:\documents and settings\LionShare\Application Data\MBSQTMoviePlugin6080.dll
c:\documents and settings\LionShare\Application Data\MBSQuickTimePlugin6097.dll
c:\documents and settings\LionShare\Application Data\MBSRegistrationPlugin6087.dll
c:\documents and settings\LionShare\Application Data\MBSVersionPlugin6086.dll
c:\documents and settings\LionShare\Application Data\rbqt450.DLL
c:\documents and settings\LionShare\Application Data\rbselectfolder450.dll
c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui5.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264dec.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264enc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\ieatgpc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mmssl32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\msess.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mticket.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mvc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmie.bak
c:\windows\Downloaded Program Files\MyWebEx\419\mwmie.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmim.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmoi.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmoibak.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmpad.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres1.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmtrace.txt
c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\windows\Downloaded Program Files\MyWebEx\419\ratrace.dll
c:\windows\Downloaded Program Files\MyWebEx\419\Ratrace\ratrace.txt
c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll
c:\windows\system32\Cfx32.lic
c:\windows\system32\cfx32.ocx
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekajallxtnd.sys
c:\windows\system32\seneka.dat
c:\windows\system32\senekacwjekqdm.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\senekadtysfnde.dll
c:\windows\system32\senekafdkkjvaw.dll
c:\windows\system32\senekalog.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 19:19 . 2009-01-01 19:19 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-01 19:19 . 2009-01-01 19:19 <DIR> d-------- c:\documents and settings\LionShare\Application Data\SUPERAntiSpyware.com
2009-01-01 19:19 . 2009-01-01 19:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-01 19:15 . 2009-01-01 23:24 220,195 --a------ c:\windows\system32\nvModes.001
2009-01-01 18:22 . 2009-01-01 18:22 <DIR> d-------- C:\rsit
2009-01-01 15:25 . 2009-01-01 16:24 <DIR> d-------- c:\program files\Security Task Manager
2009-01-01 15:25 . 2009-01-01 17:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-30 23:58 . 2008-12-30 23:58 <DIR> d-------- C:\VundoFix Backups
2008-12-30 21:16 . 2008-12-30 21:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 21:16 . 2008-12-30 21:16 <DIR> d-------- c:\documents and settings\LionShare\Application Data\Malwarebytes
2008-12-30 21:16 . 2008-12-30 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 21:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 21:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-30 16:16 . 2008-12-30 16:16 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-30 16:03 . 2008-12-30 16:03 <DIR> d-------- c:\windows\SQL9_KB954606_ENU
2008-12-30 16:00 . 2008-12-30 16:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-29 22:56 . 2008-12-29 22:56 410,984 --ah----- c:\windows\system32\deploytk.dll
2008-12-29 22:56 . 2008-12-29 22:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-29 17:50 . 2008-12-29 18:11 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-29 17:43 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-29 17:43 . 2008-06-13 07:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-12-29 17:42 . 2008-09-15 05:57 1,846,016 --------- c:\windows\system32\dllcache\win32k.sys
2008-12-29 17:42 . 2008-08-14 03:51 138,368 --------- c:\windows\system32\dllcache\afd.sys
2008-12-29 17:41 . 2008-10-16 14:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-29 17:41 . 2007-04-17 03:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-29 17:41 . 2007-03-07 23:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-29 17:41 . 2008-10-16 14:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-29 17:41 . 2008-10-16 14:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-29 17:41 . 2008-10-16 14:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-29 17:41 . 2008-10-16 14:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-29 17:41 . 2008-10-16 14:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-29 17:41 . 2008-10-16 07:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-29 17:35 . 2008-08-14 03:57 2,185,984 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-29 17:35 . 2008-08-14 03:55 2,142,720 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-29 17:35 . 2008-08-14 03:18 2,062,976 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-29 17:35 . 2008-08-14 03:18 2,020,864 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-29 17:28 . 2008-10-24 05:10 453,632 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-29 17:28 . 2008-05-01 08:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-12-29 17:23 . 2008-10-03 04:15 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2008-12-27 08:33 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-27 08:33 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-25 22:18 . 2008-12-25 22:18 <DIR> d-------- c:\program files\Common Files\Intuit
2008-12-25 22:18 . 2008-12-25 22:18 <DIR> d-------- c:\program files\Common Files\impacct
2008-12-25 22:17 . 2008-12-25 22:17 <DIR> d-------- c:\program files\Common Files\NeatReceipts
2008-12-25 22:17 . 2008-12-25 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\The Neat Company
2008-12-25 22:13 . 2008-12-25 22:13 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-25 22:10 . 2008-12-30 16:03 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-12-25 22:05 . 2008-12-25 22:19 <DIR> d-------- c:\program files\NeatWorks
2008-12-25 22:05 . 2008-12-25 22:17 <DIR> d-------- c:\program files\Common Files\The Neat Company
2008-12-21 15:30 . 2008-12-21 15:40 <DIR> d-------- c:\program files\Robo-FTP
2008-12-13 13:49 . 2008-12-13 13:49 <DIR> d-------- C:\test

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 05:24 --------- d-----w c:\documents and settings\LionShare\Application Data\VMware
2009-01-01 23:15 --------- d-----w c:\documents and settings\LionShare\Application Data\Free Download Manager
2009-01-01 22:35 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-01 22:35 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-31 06:41 --------- d-----w c:\program files\StumbleUpon
2008-12-31 05:49 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-31 03:24 --------- d-----w c:\program files\Canon
2008-12-31 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-30 22:09 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-30 04:56 --------- d-----w c:\program files\Java
2008-12-26 04:14 --------- d-----w c:\program files\Microsoft.NET
2008-12-18 00:30 4 ----a-w C:\engine.dat
2008-12-04 15:53 --------- d-----w c:\program files\Dynamic Messenger (Beta)
2008-11-24 17:25 --------- d-----w c:\program files\Alterian
2008-11-02 23:34 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-11-02 23:34 47,360 ----a-w c:\documents and settings\LionShare\Application Data\pcouffin.sys
2008-11-02 23:34 --------- d-----w c:\program files\DVDFab 5
2008-11-02 23:34 --------- d-----w c:\documents and settings\LionShare\Application Data\Vso
2008-11-02 22:38 --------- d-----w c:\program files\DVD Decrypter
2008-11-02 15:43 --------- d-----w c:\program files\Windows Media Components
2007-04-18 16:56 44,624 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-04-18 16:56 108,184 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-08-11 20:20 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-04-12 19:05 60,518 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-04-12 19:05 49,248 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-04-12 19:05 165,992 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-20 185896]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2007-08-21 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2007-08-21 55856]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-27 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-01-30 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start WebEx MeetMeNow.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start WebEx MeetMeNow.LNK
backup=c:\windows\pss\Start WebEx MeetMeNow.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^LionShare^Start Menu^Programs^Startup^VOIP080.lnk]
path=c:\documents and settings\LionShare\Start Menu\Programs\Startup\VOIP080.lnk
backup=c:\windows\pss\VOIP080.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 21:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 22:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-12 11:07 1838592 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-28 18:05 8429568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]
--a------ 2007-08-21 19:02 72240 c:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
--a------ 2007-04-28 18:05 67584 c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-28 18:05 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-28 18:05 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vmount2"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"RampartSvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"gusvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
R2 ASFIPmon;Broadcom ASF IP Monitor;"c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe" -service [2005-10-18 61440]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;"c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe" [2008-08-25 334968]
R2 ufad-p2v;VMware Converter Service;"c:\program files\VMware\VMware Converter\vmware-ufad.exe" -d "c:\program files\VMware\VMware Converter\\" -s ufad-p2v.xml []
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\VMware\VMware Converter\vstor2-p2v30.sys [2008-04-29 19248]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys []
S3 GTKCMOS;GTKCMOS;\??\c:\windows\system32\GTKCMOS.sys [2004-06-15 7882]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-30 38496]
S3 MSSQL$NR2007;SQL Server (NR2007);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sNR2007 [2008-08-05 29184016]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2007-10-23 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2007-10-23 2688]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2007-02-18 23180]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]
reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-02 c:\windows\Tasks\exichwjn.job
- c:\windows\system32\rundll32.exe [2004-08-04 05:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070127
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\system32\atl.dll - c:\windows\system32\shfolder.dll
c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
c:\windows\system32\DXFLib.dll
c:\windows\system32\devil.dll
c:\windows\system32\opcode.dll
c:\windows\Downloaded Program Files\View22RTE.dll
O16 -: {BCBC9371-595D-11D4-A96D-00105A1CEF6C}
hxxp://hgtv.view22.com/view22/app/view22rte.cab
c:\windows\Downloaded Program Files\v22.inf
FF - ProfilePath -

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("accessibility.typeaheadfind.soundURL", "default");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("browser.tabs.warnOnCloseOther", true);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.close.get", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Location.reload.get", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.Window.document.get", "allAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.commandDispatcher", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerForCommand", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.insertControllerAt", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.removeControllerAt", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerAt", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.appendController", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.removeController", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerId", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerById", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerCount", "noAccess");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.max-connections", 24);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.http.accept.default", "application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.image.warnAboutImages", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.proxy.autoconfig_url", "");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("ime.password.onFocus.dontCare", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("ime.password.onBlur.dontCare", false);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("ui.key.generalAccessKey", 18);
c:\program files\Mozilla Firefox\\greprefs\all.js - pref("dom.max_script_run_time", 5);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.enable_ssl2", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_128", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_128", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_ede3_192", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_64", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_40", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_40", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_fips_des_sha", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_des_sha", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_rc4_56_sha", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_des_cbc_sha", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc4_40_md5", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc2_40_md5", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_rsa_des_sha", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_dss_des_sha", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
c:\program files\Mozilla Firefox\\greprefs\security-prefs.js - pref("security.ui.enable", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("startup.homepage_override_url","chrome://browser-region/locale/region.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.skin", "chrome://mozapps/content/extensions/extensions.xul?type=themes");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.chrome", "chrome://mozapps/content/extensions/extensions.xul?type=extensions");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.skin", "Extension:Manager-themes");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager-extensions");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.url.manual", "http://www.mozilla.org/products/firefox/");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.url.details", "chrome://browser-region/locale/region.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.nagTimer.download", 86400);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("app.update.nagTimer.restart", 1800);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.update.url", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("keyword.URL", "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage", "resource:/browserconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.defaulturl", "chrome://browser-region/locale/region.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.1", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.2", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.search.basic.min_ver", "0.0");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.link.open_newwindow", 2);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.tabs.opentabfor.urlbar", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.related.enabled", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.related.autoload", 1); // 0 = Always, 1 = After first use, 2 = Never
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.related.provider", "http://www-rl.netscape.com/wtgn?");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.related.disabledForDomains", "");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.goBrowsing.enabled", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("dom.disable_window_open_feature.location", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("dom.disable_window_flip", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.trim_user_and_password", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.history", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.formdata", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.passwords", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.downloads", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.cookies", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.cache", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.siteprefs", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("privacy.item.sessions", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("network.cookie.denyRemovedCookies", false);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.throbber.url","chrome://browser-region/locale/region.properties");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("alerts.height", 50);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("signon.SignonFileName", "signons.txt");
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);
c:\program files\Mozilla Firefox\\defaults\pref\firefox.js - pref("browser.display.screen_resolution", 96);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 23:23:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Sigmatel\GlobalState]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=Administrators
@Denied: (Full) (Guests)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (B 1 2 3 4 5) (S-1-5-4)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1464)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1520)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\program files\VMware\VMware Converter\vmware-ufad.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-01 23:30:44 - machine was rebooted [LionShare]
ComboFix-quarantined-files.txt 2009-01-02 05:30:42

Pre-Run: 1,904,783,360 bytes free
Post-Run: 19,913,728,000 bytes free

472 --- E O F --- 2009-01-02 05:29:02

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:21 AM

Posted 02 January 2009 - 08:30 AM

Hello Scott4885,

Looking a lot better now. :thumbsup:

I also turned off system restore points before doing this.

Not a good idea !! It's better to have an infected restore point than none at all when tings go really bad. :)

Please go to http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button, browse to:
c:\windows\system32\nvModes.001
Then click on 'Send File'.
Post the results into your next reply.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users