Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo virus-malware removal assistance


  • This topic is locked This topic is locked
20 replies to this topic

#1 nobrainer22

nobrainer22

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 01 March 2009 - 01:57 AM

Hello:
My laptop has been infected with Vundo virus. I am getting unwated pop-ups, problems with typing password at bootup, and McAffee keeps detecting and deleting Vundo files that keep coming back. I've performed basic troubleshooting steps and have tried various spyware programs to no avail. I've WindowsXP-SP3 O.S. with Internet Explorer and FireFox browsers. Below is my latest HJT log. Some of the suspect DLLs are: gotujumu.dll, tojowebo.dll, kenahapu.dll, penitoro.dll, and so on. Any pointers would be appreciated:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:57 AM, on 03/01/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\linksys\wpc300n\wpc300n.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PERMIS~1\bin\dm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\RUPAL K\Desktop\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program

Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [CPMcfc7d512] Rundll32.exe "c:\windows\system32\gotujumu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1229261257930
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -

http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1229261234246
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -

https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) -

https://remote.microtrac.com/Remote/msrdp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -

http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O20 - AppInit_DLLs: c:\windows\system32\gotujumu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gotujumu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -

c:\windows\system32\gotujumu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth

Software\bin\btwdins.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - e:\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program

Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program

Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PermissionTV Download Manager Service (PermissionTVDownloadManager) - PermissionTV -

C:\PROGRA~1\PERMIS~1\bin\dm.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation -

C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner -

C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8551 bytes
***************************************************
Thanks.
NOBRAINER22

BC AdBot (Login to Remove)

 


#2 nobrainer22

nobrainer22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 01 March 2009 - 01:14 PM

Hello:
This is an update to my previous post. To save your time, I ran malwarebytes, HiJackThis and DDS which found few Vundo.Trojan.H files. Please review the latest logs and attachment. Do you still think the laptop is affected? Thanks in advance.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

DDS (Ver_09-02-01.01) - NTFSx86
Run by RK at 13:04:28.30 on 03/01/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1602 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\system32\1XConfig.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\linksys\wpc300n\wpc300n.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PERMIS~1\bin\dm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\RUPAL K\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229261257930
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229261234246
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://remote.microtrac.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38086.5369212963
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
LSA: Notification Packages = scecli c:\windows\system32\kipelebi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rupalk~1\applic~1\mozilla\firefox\profiles\8lp0ac7b.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: e:\divx\divx web player\npdivx32.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-4 201320]
R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-7-15 106496]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-7-4 144704]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
R2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\permis~1\bin\dm.exe [2009-1-22 213053]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-4 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-4 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-4 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-4 40488]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-7-15 27072]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\system32\drivers\IcdUsb2.sys [2004-6-26 39048]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys --> c:\windows\system32\drivers\jswimd.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-4 33832]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-3-13 152576]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2006-12-3 196409]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-5-2 394952]
S3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;c:\windows\system32\drivers\WPC300N.SYS [2008-7-15 822400]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-31 24652]

============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-01 10:32 <DIR> --d----- c:\docume~1\rupalk~1\applic~1\Malwarebytes
2009-03-01 10:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-01 10:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-27 19:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-27 19:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-27 18:43 <DIR> a-dshr-- C:\cmdcons
2009-02-27 18:40 161,792 a------- c:\windows\SWREG.exe
2009-02-27 18:40 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-02-27 18:36 79,872 a--sh--- c:\windows\system32\kenahapu.dll
2009-02-27 18:17 72,031 a------- c:\windows\system32\nvModes.dat
2009-02-26 19:10 84,992 a--sh--- c:\windows\system32\tawaluvu.dll
2009-02-26 19:09 79,872 a--sh--- c:\windows\system32\penitoro.dll
2008-09-07 16:27 150,096 a------- c:\docume~1\rupalk~1\applic~1\GDIPFONTCACHEV1.DAT
2008-02-03 20:49 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 13:05:29.27 ===============
*********************************************************
Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 3

03/01/09 1:03:40 PM
mbam-log-2009-03-01 (13-03-40).txt

Scan type: Quick Scan
Objects scanned: 77060
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:32 PM, on 03/01/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
C:\WINDOWS\system32\1XConfig.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\linksys\wpc300n\wpc300n.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PERMIS~1\bin\dm.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\mqtgsvc.exe
E:\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\RUPAL K\Desktop\HJT\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229261257930
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229261234246
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.microtrac.com/Remote/msrdp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - e:\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PermissionTV Download Manager Service (PermissionTVDownloadManager) - PermissionTV - C:\PROGRA~1\PERMIS~1\bin\dm.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8275 bytes
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Regards,
NOBRAINER22

Attached Files



#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 15 March 2009 - 02:50 AM

Hello nobrainer22,

I apologise for the delay, the forum is extremely busy.

I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
  • If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to:
C:\Documents and Settings\RUPAL K\Desktop\HJT\HiJackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
----------------------------------------------
Additionally download and run again DDS (If you don't have it anymore) and post back the report.

Also please post the latest report Malwarebytes' Anti-Malware created, which removed infected files. You will find it in logs tab.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 nobrainer22

nobrainer22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 18 March 2009 - 09:46 PM

Hello Chryssi2001:
Thanks for responding. Please review my NEW HJT log, NEW DDS logs (including zipped file) and the last Malwarebytes log that removed the infected files:


NEW HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:46 PM, on 03/18/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\linksys\wpc300n\wpc300n.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\RUPAL K\Desktop\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229261257930
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229261234246
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.microtrac.com/Remote/msrdp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - e:\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8309 bytes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LAST MALWAREBYTES LOG

Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 3

03/01/09 1:03:40 PM
mbam-log-2009-03-01 (13-03-40).txt

Scan type: Quick Scan
Objects scanned: 77060
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

============================================================================
==========================================================================
NEW DDS LOG

DDS (Ver_09-03-16.01) - NTFSx86
Run by RUPAL K at 22:26:45.98 on 03/18/09
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1552 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\linksys\wpc300n\wpc300n.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\RUPAL K\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Apoint] c:\program files\apoint\Apoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229261257930
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229261234246
DPF: {74FFE28D-2378-11D5-990C-006094235084} - hxxps://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://remote.microtrac.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38086.5369212963
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
LSA: Notification Packages = scecli c:\windows\system32\kipelebi.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-4 201320]
R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-7-16 106496]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-4 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2008-7-4 144704]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2001-8-17 14336]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2008-7-16 27072]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-4 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-4 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-4 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-4 40488]
R3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;c:\windows\system32\drivers\WPC300N.SYS [2008-7-16 822400]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\system32\drivers\IcdUsb2.sys [2004-6-26 39048]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys --> c:\windows\system32\drivers\jswimd.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-4 33832]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2005-3-13 152576]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2006-12-3 196409]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-5-2 394952]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-31 24652]

============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-15 09:25 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-15 09:25 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-01 11:32 <DIR> --d----- c:\docume~1\rupalk~1\applic~1\Malwarebytes
2009-03-01 11:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-27 20:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-27 20:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-27 19:43 <DIR> a-dshr-- C:\cmdcons
2009-02-27 19:40 161,792 a------- c:\windows\SWREG.exe
2009-02-27 19:40 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-03-04 09:43 72,031 a------- c:\windows\system32\nvModes.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2008-09-07 17:27 150,096 a------- c:\docume~1\rupalk~1\applic~1\GDIPFONTCACHEV1.DAT
2008-02-03 21:49 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 22:27:43.44 ===============

Attached Files



#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 19 March 2009 - 01:10 PM

Hello nobrainer22,

Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Manager (Remove Only)

----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 nobrainer22

nobrainer22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 19 March 2009 - 08:02 PM

Chryssi2001:

I've performed steps as instructed. Following are my new logs. Thanks.

HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:49 PM, on 03/19/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
c:\program files\linksys\wpc300n\wpc300n.exe
C:\Documents and Settings\RUPAL K\Desktop\HJT\scanner.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229261257930
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229261234246
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.microtrac.com/Remote/msrdp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - e:\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


--
End of file - 8304 bytes


COMBOFIX LOG:
ComboFix 09-03-18.01 - RUPAL K 2009-03-19 20:37:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1581 [GMT -4:00]
Running from: c:\documents and settings\RUPAL K\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.


2009-03-15 09:25 . 2009-03-15 09:25 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-15 09:25 . 2009-03-15 09:25 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-01 11:32 . 2009-03-01 11:32 <DIR> d-------- c:\documents and settings\RUPAL K\Application Data\Malwarebytes
2009-03-01 11:32 . 2009-03-01 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-27 20:29 . 2009-02-27 20:28 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-27 20:29 . 2009-02-27 20:28 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-02-26 23:05 . 2004-03-11 17:09 <DIR> d--h----- c:\documents and settings\Administrator.RK-LAPTOP\WLANProfiles
2009-02-26 23:05 . 2004-03-11 17:11 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP\Bluetooth Software
2009-02-26 23:05 . 2004-03-11 17:22 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP\Application Data\Symantec
2009-02-26 23:05 . 2004-03-11 17:20 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP\Application Data\Sonic
2009-02-26 23:05 . 2009-02-26 23:05 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 00:30 --------- d-----w c:\program files\Viewpoint
2009-03-20 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-15 15:42 --------- d-----w c:\program files\Common Files\Apple
2009-03-15 15:41 --------- d-----w c:\program files\Bonjour
2009-03-15 15:30 --------- d-----w c:\documents and settings\RUPAL K\Application Data\Lavasoft
2009-03-15 14:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 00:28 --------- d-----w c:\program files\Java
2009-01-21 02:08 --------- d-----w c:\program files\PowerQuest
2008-09-07 21:27 150,096 ----a-w c:\documents and settings\RUPAL K\Application Data\GDIPFONTCACHEV1.DAT
2008-02-04 01:49 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.


((((((((((((((((((((((((((((( SnapShot@2009-02-27_18.55.22.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\SYSTEM32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\SYSTEM32\advpack.dll
- 2009-02-27 23:25:26 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-03-20 00:32:56 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-02-27 23:25:26 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-03-20 00:32:56 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2001-11-01 02:45:08 134,144 ----a-w c:\windows\SYSTEM32\DDOC.EXE
+ 2001-11-01 02:45:32 137,728 ----a-w c:\windows\SYSTEM32\Ddoc32.dll
- 2008-10-16 20:38:34 124,928 -c----w c:\windows\SYSTEM32\DLLCACHE\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\SYSTEM32\DLLCACHE\advpack.dll
- 2008-10-16 20:38:34 347,136 -c----w c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w c:\windows\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c----w c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\SYSTEM32\DLLCACHE\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c----w c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\SYSTEM32\DLLCACHE\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\SYSTEM32\DLLCACHE\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\SYSTEM32\DLLCACHE\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\SYSTEM32\DLLCACHE\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c----w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\SYSTEM32\DLLCACHE\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\SYSTEM32\DLLCACHE\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c----w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 -c----w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c----w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c----w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\SYSTEM32\DLLCACHE\msrating.dll
- 2008-10-16 20:38:39 671,232 -c----w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w c:\windows\SYSTEM32\DLLCACHE\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2008-10-16 20:38:39 44,544 -c----w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w c:\windows\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\SYSTEM32\DLLCACHE\schannel.dll
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\SYSTEM32\DLLCACHE\shell32.dll
- 2008-10-16 20:38:39 105,984 -c----w c:\windows\SYSTEM32\DLLCACHE\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\SYSTEM32\DLLCACHE\url.dll
- 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c----w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\SYSTEM32\DLLCACHE\webcheck.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
- 2008-10-16 20:38:40 826,368 -c----w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\SYSTEM32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\SYSTEM32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\SYSTEM32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\SYSTEM32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ------w c:\windows\SYSTEM32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w c:\windows\SYSTEM32\extmgr.dll
- 2009-01-18 14:15:14 351,072 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-03-15 01:49:37 351,072 ----a-w c:\windows\SYSTEM32\FNTCACHE.DAT
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\SYSTEM32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\SYSTEM32\icardie.dll
- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\SYSTEM32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\SYSTEM32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\SYSTEM32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\SYSTEM32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\SYSTEM32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\SYSTEM32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\SYSTEM32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\SYSTEM32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\SYSTEM32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\SYSTEM32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\SYSTEM32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\SYSTEM32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\SYSTEM32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\SYSTEM32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\SYSTEM32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\SYSTEM32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\SYSTEM32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\SYSTEM32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\SYSTEM32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\SYSTEM32\ieudinit.exe
- 2004-03-11 20:54:50 24,670 ----a-w c:\windows\SYSTEM32\java.exe
+ 2009-02-28 00:28:38 144,792 ----a-w c:\windows\SYSTEM32\java.exe
- 2004-03-11 20:54:50 28,768 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-02-28 00:28:38 144,792 ----a-w c:\windows\SYSTEM32\javaw.exe
+ 2009-02-28 00:28:38 148,888 ----a-w c:\windows\SYSTEM32\javaws.exe
+ 2000-04-26 18:34:56 39,424 ----a-w c:\windows\SYSTEM32\JETCOMP.exe
- 2008-10-16 20:38:37 27,648 ------w c:\windows\SYSTEM32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ------w c:\windows\SYSTEM32\jsproxy.dll
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\SYSTEM32\MRT.exe
+ 2000-04-26 18:34:44 344,064 ----a-w c:\windows\SYSTEM32\msexch35.dll
+ 2000-04-26 18:34:46 252,688 ----a-w c:\windows\SYSTEM32\msexcl35.dll
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\SYSTEM32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\SYSTEM32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\SYSTEM32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\SYSTEM32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\SYSTEM32\mshtml.dll
+ 2009-01-17 02:35:14 3,594,752 ----a-w c:\windows\SYSTEM32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\SYSTEM32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\SYSTEM32\mshtmled.dll
+ 2000-04-26 18:34:48 1,050,896 ----a-w c:\windows\SYSTEM32\msjet35.dll
+ 2000-04-26 18:35:02 139,264 ----a-w c:\windows\SYSTEM32\msjint35.dll
+ 2000-04-26 18:34:48 1,238,288 ----a-w c:\windows\SYSTEM32\msjt4jlt.dll
+ 2000-04-26 18:34:56 24,848 ----a-w c:\windows\SYSTEM32\msjter35.dll
- 2000-09-18 21:12:40 169,984 ------w c:\windows\SYSTEM32\MSLTUS35.DLL
+ 2000-04-26 18:34:50 168,720 ----a-w c:\windows\SYSTEM32\msltus35.dll
+ 2000-04-26 18:34:50 250,128 ----a-w c:\windows\SYSTEM32\mspdox35.dll
- 2008-10-16 20:38:38 193,024 ------w c:\windows\SYSTEM32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w c:\windows\SYSTEM32\msrating.dll
- 2000-09-18 21:12:40 251,664 ------w c:\windows\SYSTEM32\MSRD2X35.DLL
+ 2000-04-26 18:34:50 262,144 ----a-w c:\windows\SYSTEM32\msrd2x35.dll
+ 2000-04-26 18:34:56 415,504 ----a-w c:\windows\SYSTEM32\msrepl35.dll
+ 2000-04-26 18:34:58 44,304 ----a-w c:\windows\SYSTEM32\msrpfs35.dll
+ 2000-04-26 18:34:52 166,672 ----a-w c:\windows\SYSTEM32\mstext35.dll
- 2008-10-16 20:38:39 671,232 ------w c:\windows\SYSTEM32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w c:\windows\SYSTEM32\mstime.dll
+ 2000-04-26 18:34:52 294,912 ----a-w c:\windows\SYSTEM32\msxbse35.dll
- 2009-02-27 23:17:29 72,031 ----a-w c:\windows\SYSTEM32\nvModes.dat
+ 2009-03-04 13:43:59 72,031 ----a-w c:\windows\SYSTEM32\nvModes.dat
- 2008-10-16 20:38:39 102,912 ------w c:\windows\SYSTEM32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\SYSTEM32\occache.dll
- 2008-11-17 03:34:47 66,544 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
+ 2009-03-19 04:23:16 66,544 ----a-w c:\windows\SYSTEM32\PERFC009.DAT
- 2008-11-17 03:34:47 413,786 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
+ 2009-03-19 04:23:16 413,786 ----a-w c:\windows\SYSTEM32\PERFH009.DAT
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\SYSTEM32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\SYSTEM32\pngfilt.dll
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\SYSTEM32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\SYSTEM32\schannel.dll
- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\SYSTEM32\shell32.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\SYSTEM32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\SYSTEM32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\SYSTEM32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\SYSTEM32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\SYSTEM32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\SYSTEM32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\SYSTEM32\webcheck.dll
- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\SYSTEM32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\SYSTEM32\wininet.dll
+ 2009-03-20 00:44:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_37c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-08-11 08:22 180290 c:\windows\SYSTEM32\LgNotify.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP62"= SP6X_32.DLL


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
pmkNotification Packages REG_MULTI_SZ scecli c:\windows\system32\kipelebi.dll


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2006-10-23 02:48 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-03-04 20:59 487424 c:\program files\Dell\QuickSet\quickset.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-12-15 21:47 188416 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb07.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 01:50 204800 c:\program files\Microsoft IntelliPoint\point32.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2003-09-04 11:45 135214 c:\program files\Common Files\Logitech\QCDriver2\LVComS.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2003-12-12 16:22 217088 c:\program files\Dell\Media Experience\PCMService.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-27 20:28 148888 c:\program files\Java\jre6\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--------- 2008-04-13 20:12 110592 c:\windows\SYSTEM32\bthprops.cpl


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2002-10-17 12:54 4608 c:\windows\SYSTEM32\carpserv.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 c:\windows\SYSTEM32\mqrt.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-06 20:52 1519616 c:\windows\SYSTEM32\nwiz.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\RUPAL K\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Linksys\\WPC300N\\WPC300N.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZCfgSvc.exe"=


R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-07-16 106496]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2001-08-17 14336]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPMp50.sys --> c:\windows\system32\Drivers\CBPMp50.sys [?]
S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\CBPSp50.sys [2008-07-16 27072]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\SYSTEM32\DRIVERS\IcdUsb2.sys [2004-06-26 39048]
S3 jswimd;jswimd Service;c:\windows\system32\DRIVERS\jswimd.sys --> c:\windows\system32\DRIVERS\jswimd.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\SYSTEM32\DRIVERS\LV532AV.SYS [2005-03-13 152576]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\SYSTEM32\DRIVERS\V0060Vid.sys [2006-12-03 196409]
S3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;c:\windows\SYSTEM32\DRIVERS\WPC300N.SYS [2008-07-16 822400]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{189c7230-ad91-11dd-94e7-0010c62add1d}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f135360-fffb-11da-9931-0010c62add1d}]
\Shell\Explore\command - explorer.exe /n,/e ,.
\Shell\Launch\command - D:\portablevaultaes.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa8ec210-c9e1-11dd-94f2-0010c62add1d}]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder


2008-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []


2008-10-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]


2008-10-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -


MSConfigStartUp-ccf4e68e - c:\windows\system32\kenahapu.dll
MSConfigStartUp-CPMcfc7d512 - c:\windows\system32\gotujumu.dll
MSConfigStartUp-nobepedewo - c:\windows\system32\tojowebo.dll



.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.


**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-19 20:46:07
Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????


scanning hidden files ...

scan completed successfully
hidden files: 0


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------


[HKEY_USERS\S-1-5-21-3210340476-2909643614-2966071208-1007\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000


[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(1628)
c:\windows\system32\LgNotify.dll
c:\windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\SYSTEM32\S24EvMon.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\windows\SYSTEM32\ZCfgSvc.exe
c:\windows\SYSTEM32\1XConfig.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\Bluetooth Software\bin\btwdins.exe
e:\cisco systems\VPN Client\cvpnd.exe
c:\windows\SYSTEM32\imapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\windows\SYSTEM32\msdtc.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\RegSrvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\mqsvc.exe
c:\windows\SYSTEM32\mqtgsvc.exe
c:\windows\SYSTEM32\WBEM\wmiapsrv.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Linksys\WPC300N\WPC300N.exe
.
**************************************************************************
.
Completion time: 2009-03-19 20:50:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 00:50:29
ComboFix2.txt 2009-02-28 02:50:52
ComboFix3.txt 2009-02-27 23:56:50


Pre-Run: 467,492,864 bytes free
Post-Run: 454,443,008 bytes free


418 --- E O F --- 2009-03-15 01:48:16
*****************************************************


#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 20 March 2009 - 02:03 PM

Hello nobrainer22,

It looks that most of the infection is gone. Some remainants and we'll remove them.
----------------------------------------------
Remove MS Java
The Microsoft Java Virtual Machine, or MS Java VM, is used to run Java applets that can be found on web sites. When you visit a web site that has a Java applet, the MS JVM will compile and execute that applet on your machine. Microsoft no longer supports the MS JVM and it has become obsolete. There have also been known security issues with unpatched versions of the MS JVM and you should remove it and install the safer SUN JVM as an alternative (instructions follow).
Instructions on how to remove MS Java can be found here

If you have a problem following the above instructions you can use this tool to remove MSJava.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/207418/vundo-virus-malware-removal-assistance/?p=1184547
    Collect::
    c:\windows\system32\kipelebi.dll
    
    Folder::
    c:\program files\Viewpoint
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
Post back:
Combofix report.
Kaspersky report, and let me know how the pc is running now.
A HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 20 March 2009 - 03:41 PM

Hello nobrainer22,

Additional to the above can you please do this and post back the report?

Go to Start and then Run, and type

cmd

and press OK.

Now, copy/paste the following into the Command Prompt:

SWREG EXPORT "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa" >> C:\lsa.txt

Click exit in the Command Prompt window.

Now Double-click on My Computer, and go to your C:\ Drive.

Find C:\lsa.txt, open it in Notepad, and post the contents back here.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 nobrainer22

nobrainer22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 20 March 2009 - 09:30 PM

Chryssi2001:

Please review the following logs. I really appreciate your assistance. Laptop is running OK so far. Can you tell me how to be a volunteer here and what kind of training is required? I am good at computers, have MS System Analyst certification. Thanks.

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:54 PM, on 03/20/09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\CBTWlanSrv.exe
e:\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\linksys\wpc300n\wpc300n.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\RUPAL K\Desktop\HJT\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229261257930
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229261234246
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.microtrac.com/Remote/msrdp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: CBT Wlan Service (CBTWlanSrv) - Unknown owner - C:\WINDOWS\CBTWlanSrv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - e:\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8439 bytes

COMBOFIX LOG:

ComboFix 09-03-18.01 - RUPAL K 2009-03-20 20:09:10.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT -4:00]
Running from: c:\documents and settings\RUPAL K\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RUPAL K\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\Components\atmosphere.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\Components\BlueStreak.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\Components\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\Components\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\Components\ExtremeShot.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts2Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VectorView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VETsdk.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\DownloadedComponents\atmosphere_Win\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AtmoHWConfig.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AvatarsDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\BookmarksDefault.prf
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultAvatarIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\DefaultWorldIcon.jpg
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\InternetChatHelp.url
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-19 22:06 . 2009-03-19 22:06 <DIR> d-------- C:\cabs
2009-03-15 09:25 . 2009-03-15 09:25 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-15 09:25 . 2009-03-15 09:25 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-01 11:32 . 2009-03-01 11:32 <DIR> d-------- c:\documents and settings\RUPAL K\Application Data\Malwarebytes
2009-03-01 11:32 . 2009-03-01 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-27 20:29 . 2009-02-27 20:28 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-27 20:29 . 2009-02-27 20:28 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-02-26 23:05 . 2004-03-11 17:09 <DIR> d--h----- c:\documents and settings\Administrator.RK-LAPTOP\WLANProfiles
2009-02-26 23:05 . 2004-03-11 17:11 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP\Bluetooth Software
2009-02-26 23:05 . 2004-03-11 17:22 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP\Application Data\Symantec
2009-02-26 23:05 . 2004-03-11 17:20 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP\Application Data\Sonic
2009-02-26 23:05 . 2009-02-26 23:05 <DIR> d-------- c:\documents and settings\Administrator.RK-LAPTOP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-15 15:42 --------- d-----w c:\program files\Common Files\Apple
2009-03-15 15:41 --------- d-----w c:\program files\Bonjour
2009-03-15 15:30 --------- d-----w c:\documents and settings\RUPAL K\Application Data\Lavasoft
2009-03-15 14:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-28 00:28 --------- d-----w c:\program files\Java
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-01-21 02:08 --------- d-----w c:\program files\PowerQuest
2008-09-07 21:27 150,096 ----a-w c:\documents and settings\RUPAL K\Application Data\GDIPFONTCACHEV1.DAT
2008-02-04 01:49 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-03-19_20.49.11.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-20 00:32:56 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-03-20 23:32:15 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-03-20 00:32:56 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-03-20 23:32:15 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-03-20 23:36:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_75c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-08-11 08:22 180290 c:\windows\SYSTEM32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP62"= SP6X_32.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
pmkNotification Packages REG_MULTI_SZ scecli c:\windows\system32\kipelebi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2006-10-23 02:48 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2004-03-04 20:59 487424 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-12-15 21:47 188416 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 01:50 204800 c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2003-09-04 11:45 135214 c:\program files\Common Files\Logitech\QCDriver2\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2003-12-12 16:22 217088 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-27 20:28 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--------- 2008-04-13 20:12 110592 c:\windows\SYSTEM32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
--a------ 2002-10-17 12:54 4608 c:\windows\SYSTEM32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 c:\windows\SYSTEM32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-07-06 20:52 1519616 c:\windows\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\RUPAL K\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Linksys\\WPC300N\\WPC300N.exe"=
"c:\\WINDOWS\\SYSTEM32\\ZCfgSvc.exe"=

R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2008-07-16 106496]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2001-08-17 14336]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\CBPSp50.sys [2008-07-16 27072]
R3 WPC300N;Linksys Wireless Notebook Adapter WPC300N Driver;c:\windows\SYSTEM32\DRIVERS\WPC300N.SYS [2008-07-16 822400]
S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPMp50.sys --> c:\windows\system32\Drivers\CBPMp50.sys [?]
S3 ICDUSB2;Sony IC Recorder (ST);c:\windows\SYSTEM32\DRIVERS\IcdUsb2.sys [2004-06-26 39048]
S3 jswimd;jswimd Service;c:\windows\system32\DRIVERS\jswimd.sys --> c:\windows\system32\DRIVERS\jswimd.sys [?]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\SYSTEM32\DRIVERS\LV532AV.SYS [2005-03-13 152576]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\SYSTEM32\DRIVERS\V0060Vid.sys [2006-12-03 196409]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{189c7230-ad91-11dd-94e7-0010c62add1d}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f135360-fffb-11da-9931-0010c62add1d}]
\Shell\Explore\command - explorer.exe /n,/e ,.
\Shell\Launch\command - D:\portablevaultaes.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa8ec210-c9e1-11dd-94f2-0010c62add1d}]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-10-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-10-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 20:11:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???8???????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3210340476-2909643614-2966071208-1007\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1620)
c:\windows\system32\LgNotify.dll
c:\windows\System32\NavLogon.dll
.
Completion time: 2009-03-20 20:14:07
ComboFix-quarantined-files.txt 2009-03-21 00:13:50
ComboFix2.txt 2009-03-20 00:50:42
ComboFix3.txt 2009-02-28 02:50:52
ComboFix4.txt 2009-02-27 23:56:50

Pre-Run: 439,205,888 bytes free
Post-Run: 423,968,768 bytes free

231 --- E O F --- 2009-03-15 01:48:16

KASPERSKY LOG:

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 21, 2009 01:43:55
Records in database: 1942823
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
E:\
F:\

Scan statistics:
Files scanned: 67195
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:22:22

No malware has been detected. The scan area is clean.

The selected area was scanned.

LSA.TXT:

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format

Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format

SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg

DISCLAIMER
Official download location: SteelWerX (http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (http://www.atribune.org)
BleepingComputer.com (http://www.bleepingcomputer.com)
Spyware Times (http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 21 March 2009 - 02:17 AM

Hello nobrainer22,

Can you tell me how to be a volunteer here and what kind of training is required? I am good at computers, have MS System Analyst certification. Thanks.

Yes as i am not sure the BC accepts new members for training i will have to ask and let you know, but if not, you can be trained in the Univercity which is in my signature.

Training includes learning about infections and how to deal with them, reading understanding reports, use tools to clean infected computers etc...

I really appreciate your assistance. Laptop is running OK so far.

That's good but we still have an infected file and i need you to re-do the step below:

There is something wrong with the registry export i asked.

Can you repeat this please? I might have missed a step :thumbup2:

Go to Start and then Run, and type

cmd

and press OK.

Now, copy/paste the following in the quote box into the Command Prompt:

SWREG EXPORT "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa" >> C:\lsa.txt

(If you're not sure how to paste into the Command Prompt, copy the above as normal. Then, rightclick at the Command Prompt, and select Paste.)

Hit Enter.

Click exit in the Command Prompt window.

Now Double-click on My Computer, and go to your C:\ Drive.

Find C:\lsa.txt, open it in Notepad, and post the contents back here.


Can you also tell me what this folder is? It was created lately.
2009-03-19 C:\cabs

Edited by chryssi2001, 21 March 2009 - 02:32 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 nobrainer22

nobrainer22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 21 March 2009 - 05:57 PM

Chryssi2001:

None of us missed a step. I pasted the same way as you have suggested and the QUOTE BOX text is the same as before. Following is my new LSA.TXT:

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006


SWReg EXPORT KeyName FileName [/nt4]

Keyname ROOTKEY\SubKey (local machine only)
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey The full name of a registry key under the selected ROOTKEY
FileName The name of the disk file to export
/nt4 Output reg file as old NT4 format


Examples:

SWReg EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg /nt4
Exports all subkeys and values of the key MyApp to the file AppBkUp.reg
in the nt4 reg format


SWReg EXPORT HKLM\Software\MyCo MyCoBkUp.reg
Exports the hive MyCo to the file MyCoBkUp.reg


DISCLAIMER
Official download location: SteelWerX (
http://www.xs4all.nl/~fstaal01)
Mirrors: Atribune.org (
http://www.atribune.org)
BleepingComputer.com (
http://www.bleepingcomputer.com)
Spyware Times (
http://www.spywaretimes.com)

SteelWerX is not liable for damages of any kind arising from the use of
this program.


*******************************************
The folder C:\Cabs is not a suspect; it contains GWScan hard drive diagnostic utility from Gateway Computers that I extracted for a friend's laptop. I believe the HD is dead.

I registered myself at malwarebytes removal university website but I didn't see any section on training. Thanks.

Nobrainer22

Edited by nobrainer22, 21 March 2009 - 05:59 PM.


#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 March 2009 - 06:16 AM

Hello nobrainer22,

I registered myself at malwarebytes removal university website but I didn't see any section on training. Thanks.

You are welcome, now you signed in can you see this page?
http://www.malwareremoval.com/university.php
There is an applications form at bottom of that page. :thumbup2:
----------------------------------------------
I used the directions i gave you and i have a complete export of that registry key in my lsa.txt, so i can't understand why it doesn't work. The result you posted shows like you just pasted in cmd window only: SWREG EXPORT and press enter, that gives the results you posted. Let's try a different tool to export that key.
----------------------------------------------
Please download RegQuery by Noviciate to your desktop
  • Double click RegQuery.exe to run the program
  • Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
  • Paste the text you have copied using CRTL and V, into the textbox
  • Click the Query button
  • A Notepad file will open. Please paste the contents in your next reply
  • You may now close the RegQuery program.

Edited by chryssi2001, 22 March 2009 - 06:45 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 nobrainer22

nobrainer22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Pennsylvania
  • Local time:12:31 PM

Posted 22 March 2009 - 01:34 PM

Good Afternoon, Chryssi2001:

I found the MRU application page... thanks. I retried on the CMD page but it didn't export the registry keys. I also went into Registry and manually exported the Lsa key but it was not the same as below using REGQUERY. Thanks for being patient.

RegQuery Result
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000004e8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000000
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"pmkNotification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,43,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6b,00,69,00,70,00,65,00,6c,00,65,\
00,62,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data]
"Pattern"=hex:c1,b3,14,6f,16,f0,9a,f5,7b,b8,72,34,26,9e,95,36,63,33,61,36,64,\
34,33,64,00,00,00,00,01,00,00,00,b4,01,00,00,b8,01,00,00,34,ca,06,00,45,9d,\
bf,71,04,00,00,00,10,00,00,00,00,00,00,00,cf,33,9c,62

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG]
"GrafBlumGroup"=hex:24,fb,fa,8c,b7,62,91,42,80

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD]
"Lookup"=hex:ba,a0,c7,9f,1c,8b

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
"Auth132"="iissuba"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1]
"SkewMatrix"=hex:0d,5e,35,d8,cb,29,0a,14,91,3c,8d,a4,0b,00,b0,e8

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache]
"Time"=hex:e0,06,20,bc,47,05,c9,01

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,54,cf,23,c4,9d,c8,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,db,62,27,c4,9d,c8,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,08,94,28,c4,9d,c8,01
"Type"=dword:00000031

#14 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 March 2009 - 02:06 PM

Hello nobrainer22,

You have a strange registry key in there, which holds a bad file.

I need to ask some help, and i'll be back.

Did you or anyone made changes on your registry?
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#15 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 22 March 2009 - 02:39 PM

Hello nobrainer22,

I am back :thumbup2:

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "pmkNotification Packages"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users