Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft Update disabled and antivirus popups


  • This topic is locked This topic is locked
14 replies to this topic

#1 Pam Heinecke

Pam Heinecke

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 24 February 2010 - 07:30 PM

This computer is part of an office domain that is in an accounting firm in the middle of tax season. The user, one of our CPA's, is not very computer savvy and has inadvertantly installed malware that has disabled Task Manager and Microsoft and Windows Update. We have Trend's Small Business Server software on the network, but it has failed to stop this from happening and can not even find the problem to try to clean it.

Even though Trend is saying that the server and the other desktops are clean, the backup system is disabled and the Trend nightly scan failed.

This desktop appears to be fine until the user opens Internet Explorer. He immediately starts getting survey and anti-virus software (malware) offers.

The MU error messages vary but one of tem is 0x80070422 AU & BITS Not emabled in Windows Update. I have restarted each of the necessary services but the malware disables them. Also 0x8DDD0018 and following those instructions fails, as well.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Craig at 16:26:17.36 on Wed 02/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.152 [GMT -6:00]

AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning enabled* (Updated) {EE542BDC-E951-42BB-8F06-4CF6BA012293}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {EE542BDC-E951-42BB-8F06-4CF6BA012293}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\TEMP\HRA72F.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Craig.HUGHHEINECKECPA\Local Settings\Temporary Internet Files\Content.IE5\ITNLC5CR\hijackthis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Craig.HUGHHEINECKECPA\Desktop\Defogger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Craig.HUGHHEINECKECPA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Updates Scheduler] c:\program files\common files\lacerte shared\update scheduler\UpdSched.EXE
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [OSCD_Creator] c:\dell\PreODM.EXE
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [nalasunaj] Rundll32.exe "c:\windows\system32\tisehuza.dll",a
mRunOnce: [OSCD_Creator] c:\dell\PreODM.EXE /2
StartupFolder: c:\docume~1\craig~1.hug\startm~1\programs\startup\ta_start.lnk - c:\windows\system32\dwdsregt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi05e6~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262128005192
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262127996895
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://trendmicro.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\jepeyija.dll wogozote.dll c:\windows\system32\pihovosi.dll c:\windows\system32\tisehuza.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: nipisafes - {a7cc1f2f-7476-4063-989c-4c74d7ca2ed1} - c:\windows\system32\vikehobe.dll
SSODL: yemipeyup - {e25baae4-8e6b-47b7-8e69-4b5fd9aac1d1} - c:\windows\system32\nejagemu.dll
SSODL: wadebodej - {15f0c806-2e6b-42ca-aa4d-01cea885ac87} - c:\windows\system32\kahevezu.dll
SSODL: linefutir - {c4d58c17-ae3d-4e94-b8bc-b4068293e938} - c:\windows\system32\nikadeho.dll
SSODL: gijejiraf - {1197a962-0689-47d7-a734-f78ce5f88d4b} - c:\windows\system32\tunayiri.dll
SSODL: yorewifig - {d85beb43-d8ed-4ef0-b605-2ac411e7f762} - c:\windows\system32\dapotado.dll
SSODL: bodenezol - {8125378e-ac19-45e6-9dd3-5ca9023de314} - c:\windows\system32\tunayiri.dll
SSODL: vujafapes - {c2ce0175-d75e-4265-8667-164c4d8f65bf} - c:\windows\system32\tunayiri.dll
SSODL: mesemawih - {c9569449-23c9-480d-ab96-cb376ecb279f} - c:\windows\system32\dapotado.dll
SSODL: fayawidup - {ecd2e98b-ab02-4642-8e0e-6fd5754ff733} - c:\windows\system32\dapotado.dll
SSODL: rafahupuh - {68f186ce-6d31-4c43-a940-d5e6998dc29a} - c:\windows\system32\madipoha.dll
SSODL: mepizasah - {2dab26b1-41a3-4e8c-af55-89e5ec5a8ff8} - c:\windows\system32\tunayiri.dll
SSODL: dizopefeg - {829b4073-4fd2-4b96-b19f-7d318bae71df} - c:\windows\system32\jojubasa.dll
SSODL: zodakifif - {7de79d61-606f-4a9e-bd78-3cbfe56fb113} - c:\windows\system32\dapotado.dll
SSODL: sezodares - {1ec12f0e-908f-461d-b442-1eaab6c2e400} - c:\windows\system32\tisehuza.dll
SSODL: venimoler - {4602db38-b7a2-4bf8-b482-4570be2dec38} - c:\windows\system32\tisehuza.dll
SSODL: kejilebuw - {54e95371-0d1a-4537-82d8-97036b0833ad} - c:\windows\system32\tisehuza.dll
SSODL: puruyofor - {de44b957-175a-455d-ae35-cd8bda70b68e} - c:\windows\system32\tisehuza.dll
STS: gahurihor: {a7cc1f2f-7476-4063-989c-4c74d7ca2ed1} - c:\windows\system32\vikehobe.dll
STS: mujuzedij: {e25baae4-8e6b-47b7-8e69-4b5fd9aac1d1} - c:\windows\system32\nejagemu.dll
STS: tokatiluy: {15f0c806-2e6b-42ca-aa4d-01cea885ac87} - c:\windows\system32\kahevezu.dll
STS: gahurihor: {c4d58c17-ae3d-4e94-b8bc-b4068293e938} - c:\windows\system32\nikadeho.dll
STS: gahurihor: {1197a962-0689-47d7-a734-f78ce5f88d4b} - c:\windows\system32\tunayiri.dll
STS: jugezatag: {d85beb43-d8ed-4ef0-b605-2ac411e7f762} - c:\windows\system32\dapotado.dll
STS: jugezatag: {8125378e-ac19-45e6-9dd3-5ca9023de314} - c:\windows\system32\tunayiri.dll
STS: kupuhivus: {c2ce0175-d75e-4265-8667-164c4d8f65bf} - c:\windows\system32\tunayiri.dll
STS: mujuzedij: {c9569449-23c9-480d-ab96-cb376ecb279f} - c:\windows\system32\dapotado.dll
STS: tokatiluy: {ecd2e98b-ab02-4642-8e0e-6fd5754ff733} - c:\windows\system32\dapotado.dll
STS: tokatiluy: {68f186ce-6d31-4c43-a940-d5e6998dc29a} - c:\windows\system32\madipoha.dll
STS: mujuzedij: {2dab26b1-41a3-4e8c-af55-89e5ec5a8ff8} - c:\windows\system32\tunayiri.dll
STS: gahurihor: {829b4073-4fd2-4b96-b19f-7d318bae71df} - c:\windows\system32\jojubasa.dll
STS: jugezatag: {7de79d61-606f-4a9e-bd78-3cbfe56fb113} - c:\windows\system32\dapotado.dll
STS: mujuzedij: {1ec12f0e-908f-461d-b442-1eaab6c2e400} - c:\windows\system32\tisehuza.dll
STS: mujuzedij: {4602db38-b7a2-4bf8-b482-4570be2dec38} - c:\windows\system32\tisehuza.dll
STS: mujuzedij: {54e95371-0d1a-4537-82d8-97036b0833ad} - c:\windows\system32\tisehuza.dll
STS: kupuhivus: {de44b957-175a-455d-ae35-cd8bda70b68e} - c:\windows\system32\tisehuza.dll
SEH: {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli favariki.dll

============= SERVICES / DRIVERS ===============

R2 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -slacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlservr.exe -sLACERTEDB [?]
R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2007-5-22 282704]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2007-5-22 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2007-5-22 36368]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.exe -i lacertedb --> c:\program files\microsoft sql server\mssql$lacertedb\binn\sqlagent.EXE -i LACERTEDB [?]

=============== Created Last 30 ================

2010-02-24 22:22:34 0 ----a-w- c:\documents and settings\craig.hughheineckecpa\defogger_reenable
2010-02-23 20:43:22 4521 ----a-w- c:\windows\cfgps.ini
2010-02-23 20:43:22 3679 ----a-w- c:\windows\cfgspyps.ini

==================== Find3M ====================

1601-01-01 00:03:28 47104 --sha-w- c:\windows\system32\bipehozo.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\bubesomu.dll
1601-01-01 00:03:28 61952 --sha-w- c:\windows\system32\deyutupu.dll
1601-01-01 00:03:52 56832 --sha-w- c:\windows\system32\favariki.dll
1601-01-01 00:03:28 47104 --sha-w- c:\windows\system32\gibijayu.dll
1601-01-01 00:03:28 96768 --sha-w- c:\windows\system32\morupeke.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\nunayeta.dll
1601-01-01 00:03:28 100864 --sha-w- c:\windows\system32\pihovosi.dll
1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\salurofi.dll
1601-01-01 00:03:28 43520 --sha-w- c:\windows\system32\suferuha.dll
1601-01-01 00:03:28 101376 --sha-w- c:\windows\system32\tisehuza.dll
1601-01-01 00:03:28 47104 --sha-w- c:\windows\system32\tiyegize.dll
1601-01-01 00:03:52 56832 --sha-w- c:\windows\system32\vehijuli.dll
1601-01-01 00:03:28 56832 --sha-w- c:\windows\system32\videfila.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\vinomisu.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\vorekisu.dll
1601-01-01 00:03:52 56832 --sha-w- c:\windows\system32\wogozote.dll
1601-01-01 00:03:28 47616 --sha-w- c:\windows\system32\yazowazo.dll
2008-05-17 22:06:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051720080518\index.dat

============= FINISH: 16:30:22.26 ===============

Attached Files


Edited by Pam Heinecke, 24 February 2010 - 07:34 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:05 AM

Posted 26 February 2010 - 09:49 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#3 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 27 February 2010 - 08:39 AM

I will try this fix as soon as get into the office. Thanks so much.

#4 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 27 February 2010 - 01:11 PM

This appears to have solved the problem. I had to run it twice, however, as there were still problems after the first run. I'm going to let the user back on to the computer and see how things are in 24 hours. Thank you for this fabulous help.

I will let you know if it is still clear after 24 hours.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:05 AM

Posted 27 February 2010 - 04:49 PM

It's not as simple as that just because their are no signs it doesn't mean thier's nothing there, so can you post the log I asked for, it is very
important you do so especially with what you do on the computer. don't let anyone back on the computer yet unless it's essential.

unite.jpg


#6 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 28 February 2010 - 01:46 AM

I will send you the log tomorrow morning. It's tax season and this CPA had been unable to work for a week. He is only working offline and not going on the net. It was necessary but I don't think he put in more than a couple of hours after I was finished. We'll keep him off again until you review the log. I don't think he planned to work on Sunday, so I'll get it to you ASAP so that we may be able to get him back in service on Monday.
Thanks again for all of your help.

#7 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 28 February 2010 - 02:49 PM

Here is the combo.txt

ComboFix 10-02-27.04 - Craig 02/28/2010 13:34:18.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.250 [GMT -6:00]
Running from: c:\documents and settings\Craig.HUGHHEINECKECPA\Desktop\ComboFix.exe
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {EE542BDC-E951-42BB-8F06-4CF6BA012293}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {EE542BDC-E951-42BB-8F06-4CF6BA012293}
.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 16:30 . 2010-02-28 19:31 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Tracing
2010-02-27 16:27 . 2010-02-27 16:27 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-02-27 16:27 . 2010-02-27 16:27 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-27 16:27 . 2009-08-06 04:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-02-27 16:26 . 2010-02-27 16:26 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-27 16:25 . 2006-11-29 19:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-02-27 16:25 . 2010-02-27 16:25 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-27 16:22 . 2010-02-27 16:22 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-27 16:22 . 2010-02-27 16:27 -------- d-----w- c:\program files\Windows Live
2010-02-27 16:13 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-26 04:05 . 2010-02-26 04:05 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 20:17 . 2005-03-03 20:08 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-02-27 16:44 . 2008-01-26 22:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-27 16:29 . 2007-09-15 19:19 26832 ----a-w- c:\documents and settings\Craig.HUGHHEINECKECPA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 16:22 . 2010-01-04 20:18 -------- d-----w- c:\program files\Microsoft
2010-02-24 17:51 . 2007-05-31 19:58 -------- d-----w- c:\program files\Unlocker
2010-01-14 14:34 . 2010-01-14 14:34 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\webex
2010-01-04 20:19 . 2010-01-04 20:19 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 15:02 . 2009-12-31 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-28 19:55 . 2009-12-28 19:55 10134 ----a-r- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2009-12-21 19:14 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 11:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 11:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\deyutupu.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\SYSTEM32\limowuyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 101376 --sha-w- c:\windows\SYSTEM32\vagiwara.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-02-24 98304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-25 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2004-10-25 1111552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"nalasunaj"="c:\windows\system32\yesitepo.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{5b556681-420b-4649-ac09-8d4c2edb66f6}"= "c:\windows\system32\yesitepo.dll" [BU]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vayibumuf"= {5b556681-420b-4649-ac09-8d4c2edb66f6} - c:\windows\system32\yesitepo.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [2/27/2010 10:27 AM 54752]
R2 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [5/22/2007 12:34 PM 36368]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [5/22/2007 12:34 PM 225808]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2005-03-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2010-02-28 c:\windows\Tasks\User_Feed_Synchronization-{FCB8F879-BB07-4A66-A8C7-2697C05A457F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 13:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-28 13:43:08
ComboFix-quarantined-files.txt 2010-02-28 19:43
ComboFix2.txt 2010-02-27 17:11
ComboFix3.txt 2010-02-27 15:49

Pre-Run: 20,450,463,744 bytes free
Post-Run: 20,413,698,048 bytes free

- - End Of File - - B059EAA2A6E340E23949C7EAE6301C36


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:05 AM

Posted 01 March 2010 - 01:51 AM

It appears you have run combofix again, please do not run combofix unless I ask you too.

Please post the other two logs you have, in attachments, they are located at

C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/298334/microsoft-update-disabled-and-antivirus-popups/

Collect::
c:\windows\SYSTEM32\deyutupu.dll
c:\windows\SYSTEM32\limowuyu.dll
c:\windows\SYSTEM32\vagiwara.dll
c:\windows\system32\yesitepo.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nalasunaj"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{5b556681-420b-4649-ac09-8d4c2edb66f6}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vayibumuf"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 01 March 2010 - 12:32 PM

ComboFix 10-02-27.01 - Craig 02/27/2010 10:52:05.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.214 [GMT -6:00]
Running from: c:\documents and settings\Craig.HUGHHEINECKECPA\Desktop\ComboFix.exe
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {EE542BDC-E951-42BB-8F06-4CF6BA012293}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {EE542BDC-E951-42BB-8F06-4CF6BA012293}
.
The following files were disabled during the run:
c:\windows\system32\yesitepo.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\yesitepo.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-27 16:30 . 2010-02-27 16:49 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Tracing
2010-02-27 16:27 . 2010-02-27 16:27 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-02-27 16:27 . 2010-02-27 16:27 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-27 16:27 . 2009-08-06 04:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-02-27 16:26 . 2010-02-27 16:26 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-27 16:25 . 2006-11-29 19:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-02-27 16:25 . 2010-02-27 16:25 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-27 16:22 . 2010-02-27 16:22 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-27 16:22 . 2010-02-27 16:27 -------- d-----w- c:\program files\Windows Live
2010-02-27 16:13 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-26 04:05 . 2010-02-26 04:05 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 16:44 . 2008-01-26 22:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-27 16:29 . 2007-09-15 19:19 26832 ----a-w- c:\documents and settings\Craig.HUGHHEINECKECPA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 16:22 . 2010-01-04 20:18 -------- d-----w- c:\program files\Microsoft
2010-02-24 17:51 . 2007-05-31 19:58 -------- d-----w- c:\program files\Unlocker
2010-02-24 17:35 . 2005-03-03 20:08 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-01-14 14:34 . 2010-01-14 14:34 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\webex
2010-01-04 20:19 . 2010-01-04 20:19 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 15:02 . 2009-12-31 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-30 14:17 . 2008-12-11 14:36 -------- d-----w- c:\program files\Windows Desktop Search
2009-12-29 23:00 . 2009-12-29 23:00 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\Windows Search
2009-12-28 19:55 . 2009-12-28 19:55 10134 ----a-r- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2009-12-21 19:14 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-08 19:27 . 2004-08-04 11:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 11:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\deyutupu.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\SYSTEM32\limowuyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\SYSTEM32\morupeke.dll
1601-01-01 00:03 . 1601-01-01 00:03 101376 --sha-w- c:\windows\SYSTEM32\vagiwara.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\SYSTEM32\vehijuli.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\SYSTEM32\videfila.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-02-05 98304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-25 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2004-10-25 1111552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{54e95371-0d1a-4537-82d8-97036b0833ad}"= "c:\windows\system32\yesitepo.dll" [BU]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [2/27/2010 10:27 AM 54752]
R2 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [5/22/2007 12:34 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [5/22/2007 12:34 PM 36368]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2005-03-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2010-02-27 c:\windows\Tasks\User_Feed_Synchronization-{FCB8F879-BB07-4A66-A8C7-2697C05A457F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nalasunaj - c:\windows\system32\yesitepo.dll
SharedTaskScheduler-{5b556681-420b-4649-ac09-8d4c2edb66f6} - c:\windows\system32\yesitepo.dll
SSODL-kejilebuw-{54e95371-0d1a-4537-82d8-97036b0833ad} - c:\windows\system32\yesitepo.dll
SSODL-vayibumuf-{5b556681-420b-4649-ac09-8d4c2edb66f6} - c:\windows\system32\yesitepo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 11:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = c:\dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\yesitepo.dll

- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\TEMP\OG3E99.EXE
c:\program files\Trend Micro\Client Server Security Agent\pccntupd.exe
c:\program files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
.
**************************************************************************
.
Completion time: 2010-02-27 11:11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 17:11
ComboFix2.txt 2010-02-27 15:49

Pre-Run: 20,848,615,424 bytes free
Post-Run: 20,790,665,216 bytes free

- - End Of File - - 8625B514B27C36E5F8B61C3D0373A737
ComboFix 10-02-26.03 - Craig 02/27/2010 9:29.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.217 [GMT -6:00]
Running from: c:\documents and settings\Craig.HUGHHEINECKECPA\Desktop\ComboFix.exe
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {EE542BDC-E951-42BB-8F06-4CF6BA012293}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {EE542BDC-E951-42BB-8F06-4CF6BA012293}
.
The following files were disabled during the run:
c:\windows\system32\tisehuza.dll
c:\windows\system32\yesitepo.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\data
c:\documents and settings\Administrator.HEINECKE\err.log
c:\documents and settings\Administrator.HEINECKE\ResErrors.log
c:\documents and settings\Craig.HUGHHEINECKECPA\Local Settings\Temporary Internet Files\webex.ini
c:\documents and settings\Craig.HUGHHEINECKECPA\Start Menu\Programs\Startup\TA_Start.lnk
c:\program files\inetget2
c:\temp\17o7
c:\temp\17o7\tmpTF.log
c:\temp\tn3
c:\windows\system32\bipehozo.dll
c:\windows\system32\bubesomu.dll
c:\windows\system32\crosof~1
c:\windows\system32\dapotado.dll
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\favariki.dll
c:\windows\system32\gibijayu.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nunayeta.dll
c:\windows\system32\salurofi.dll
c:\windows\system32\ssembl~1
c:\windows\system32\suferuha.dll
c:\windows\system32\tisehuza.dll
c:\windows\system32\tiyegize.dll
c:\windows\system32\tunayiri.dll
c:\windows\system32\vinomisu.dll
c:\windows\system32\vorekisu.dll
c:\windows\system32\winpfz32.sys
c:\windows\system32\yazowazo.dll
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\qgbjcyfz.job
c:\windows\vttc.exe
c:\windows\wr.txt

.
((((((((((((((((((((((((( Files Created from 2010-01-27 to 2010-02-27 )))))))))))))))))))))))))))))))
.

2010-02-26 04:05 . 2010-02-26 04:05 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 17:51 . 2007-05-31 19:58 -------- d-----w- c:\program files\Unlocker
2010-02-24 17:35 . 2005-03-03 20:08 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-01-14 14:34 . 2010-01-14 14:34 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\webex
2010-01-04 20:19 . 2010-01-04 20:19 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-04 20:18 . 2010-01-04 20:18 -------- d-----w- c:\program files\Microsoft
2009-12-31 15:02 . 2009-12-31 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-12-30 14:17 . 2008-01-26 22:42 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-30 14:17 . 2008-12-11 14:36 -------- d-----w- c:\program files\Windows Desktop Search
2009-12-29 23:00 . 2009-12-29 23:00 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\Windows Search
2009-12-28 19:56 . 2007-09-15 19:19 26248 ----a-w- c:\documents and settings\Craig.HUGHHEINECKECPA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 19:55 . 2009-12-28 19:55 10134 ----a-r- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\deyutupu.dll
1601-01-01 00:03 . 1601-01-01 00:03 100864 --sha-w- c:\windows\SYSTEM32\limowuyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\SYSTEM32\morupeke.dll
1601-01-01 00:03 . 1601-01-01 00:03 101376 --sha-w- c:\windows\SYSTEM32\vagiwara.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\SYSTEM32\vehijuli.dll
1601-01-01 00:03 . 1601-01-01 00:03 56832 --sha-w- c:\windows\SYSTEM32\videfila.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-02-05 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-25 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2004-10-25 1111552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]
"nalasunaj"="c:\windows\system32\yesitepo.dll" [1601-01-01 101376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{5b556681-420b-4649-ac09-8d4c2edb66f6}"= "c:\windows\system32\yesitepo.dll" [1601-01-01 101376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kejilebuw"= {54e95371-0d1a-4537-82d8-97036b0833ad} - c:\windows\system32\yesitepo.dll [1601-01-01 101376]
"vayibumuf"= {5b556681-420b-4649-ac09-8d4c2edb66f6} - c:\windows\system32\yesitepo.dll [1601-01-01 101376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [5/22/2007 12:34 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [5/22/2007 12:34 PM 36368]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2005-03-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2010-02-27 c:\windows\Tasks\User_Feed_Synchronization-{FCB8F879-BB07-4A66-A8C7-2697C05A457F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{a7cc1f2f-7476-4063-989c-4c74d7ca2ed1} - c:\windows\system32\vikehobe.dll
SharedTaskScheduler-{e25baae4-8e6b-47b7-8e69-4b5fd9aac1d1} - c:\windows\system32\nejagemu.dll
SharedTaskScheduler-{15f0c806-2e6b-42ca-aa4d-01cea885ac87} - c:\windows\system32\kahevezu.dll
SharedTaskScheduler-{c4d58c17-ae3d-4e94-b8bc-b4068293e938} - c:\windows\system32\nikadeho.dll
SharedTaskScheduler-{1197a962-0689-47d7-a734-f78ce5f88d4b} - c:\windows\system32\tunayiri.dll
SharedTaskScheduler-{d85beb43-d8ed-4ef0-b605-2ac411e7f762} - c:\windows\system32\dapotado.dll
SharedTaskScheduler-{8125378e-ac19-45e6-9dd3-5ca9023de314} - c:\windows\system32\tunayiri.dll
SharedTaskScheduler-{c2ce0175-d75e-4265-8667-164c4d8f65bf} - c:\windows\system32\tunayiri.dll
SharedTaskScheduler-{c9569449-23c9-480d-ab96-cb376ecb279f} - c:\windows\system32\dapotado.dll
SharedTaskScheduler-{ecd2e98b-ab02-4642-8e0e-6fd5754ff733} - c:\windows\system32\dapotado.dll
SharedTaskScheduler-{68f186ce-6d31-4c43-a940-d5e6998dc29a} - c:\windows\system32\madipoha.dll
SharedTaskScheduler-{2dab26b1-41a3-4e8c-af55-89e5ec5a8ff8} - c:\windows\system32\tunayiri.dll
SharedTaskScheduler-{829b4073-4fd2-4b96-b19f-7d318bae71df} - c:\windows\system32\jojubasa.dll
SharedTaskScheduler-{7de79d61-606f-4a9e-bd78-3cbfe56fb113} - c:\windows\system32\dapotado.dll
SharedTaskScheduler-{1ec12f0e-908f-461d-b442-1eaab6c2e400} - c:\windows\system32\tisehuza.dll
SharedTaskScheduler-{4602db38-b7a2-4bf8-b482-4570be2dec38} - c:\windows\system32\tisehuza.dll
SharedTaskScheduler-{54e95371-0d1a-4537-82d8-97036b0833ad} - c:\windows\system32\tisehuza.dll
ShellExecuteHooks-{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - (no file)
SSODL-nipisafes-{a7cc1f2f-7476-4063-989c-4c74d7ca2ed1} - c:\windows\system32\vikehobe.dll
SSODL-yemipeyup-{e25baae4-8e6b-47b7-8e69-4b5fd9aac1d1} - c:\windows\system32\nejagemu.dll
SSODL-wadebodej-{15f0c806-2e6b-42ca-aa4d-01cea885ac87} - c:\windows\system32\kahevezu.dll
SSODL-linefutir-{c4d58c17-ae3d-4e94-b8bc-b4068293e938} - c:\windows\system32\nikadeho.dll
SSODL-gijejiraf-{1197a962-0689-47d7-a734-f78ce5f88d4b} - c:\windows\system32\tunayiri.dll
SSODL-yorewifig-{d85beb43-d8ed-4ef0-b605-2ac411e7f762} - c:\windows\system32\dapotado.dll
SSODL-bodenezol-{8125378e-ac19-45e6-9dd3-5ca9023de314} - c:\windows\system32\tunayiri.dll
SSODL-vujafapes-{c2ce0175-d75e-4265-8667-164c4d8f65bf} - c:\windows\system32\tunayiri.dll
SSODL-mesemawih-{c9569449-23c9-480d-ab96-cb376ecb279f} - c:\windows\system32\dapotado.dll
SSODL-fayawidup-{ecd2e98b-ab02-4642-8e0e-6fd5754ff733} - c:\windows\system32\dapotado.dll
SSODL-rafahupuh-{68f186ce-6d31-4c43-a940-d5e6998dc29a} - c:\windows\system32\madipoha.dll
SSODL-mepizasah-{2dab26b1-41a3-4e8c-af55-89e5ec5a8ff8} - c:\windows\system32\tunayiri.dll
SSODL-dizopefeg-{829b4073-4fd2-4b96-b19f-7d318bae71df} - c:\windows\system32\jojubasa.dll
SSODL-zodakifif-{7de79d61-606f-4a9e-bd78-3cbfe56fb113} - c:\windows\system32\dapotado.dll
SSODL-sezodares-{1ec12f0e-908f-461d-b442-1eaab6c2e400} - c:\windows\system32\tisehuza.dll
SSODL-venimoler-{4602db38-b7a2-4bf8-b482-4570be2dec38} - c:\windows\system32\tisehuza.dll
MSConfigStartUp-setup - c:\windows\system32\vhtuompy.dll
MSConfigStartUp-Total PC Defender - c:\program files\Total PC Defender\Total PC Defender.exe
AddRemove-HijackThis - c:\documents and settings\Craig.HUGHHEINECKECPA\Local Settings\Temporary Internet Files\Content.IE5\ITNLC5CR\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 09:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = c:\dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\tisehuza.dll
c:\windows\system32\yesitepo.dll

- - - - - - - > 'explorer.exe'(700)
c:\windows\system32\WININET.dll
c:\windows\system32\yesitepo.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\TEMP\FCE54C.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\Client Server Security Agent\pccntupd.exe
c:\program files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
.
**************************************************************************
.
Completion time: 2010-02-27 09:49:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-27 15:49

Pre-Run: 21,296,889,856 bytes free
Post-Run: 21,576,916,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 28ADC87FCB85C9D1D800D8015B59246C


#10 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 01 March 2010 - 12:55 PM

ComboFix 10-03-01.01 - Craig 03/01/2010 11:41:10.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.225 [GMT -6:00]
Running from: c:\documents and settings\Craig.HUGHHEINECKECPA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Craig.HUGHHEINECKECPA\Desktop\CFScript.txt
AV: Trend Micro Client-Server Security Agent AntiVirus *On-access scanning disabled* (Outdated) {EE542BDC-E951-42BB-8F06-4CF6BA012293}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {EE542BDC-E951-42BB-8F06-4CF6BA012293}

file zipped: c:\windows\SYSTEM32\deyutupu.dll
file zipped: c:\windows\SYSTEM32\limowuyu.dll
file zipped: c:\windows\SYSTEM32\vagiwara.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\deyutupu.dll
c:\windows\SYSTEM32\limowuyu.dll
c:\windows\SYSTEM32\vagiwara.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-27 16:30 . 2010-03-01 17:29 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Tracing
2010-02-27 16:27 . 2010-02-27 16:27 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-02-27 16:27 . 2010-02-27 16:27 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-27 16:27 . 2009-08-06 04:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2010-02-27 16:26 . 2010-02-27 16:26 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-02-27 16:25 . 2006-11-29 19:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-02-27 16:25 . 2010-02-27 16:25 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-27 16:22 . 2010-02-27 16:22 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-27 16:22 . 2010-02-27 16:27 -------- d-----w- c:\program files\Windows Live
2010-02-27 16:13 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-26 04:05 . 2010-02-26 04:05 10752 ----a-w- c:\windows\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 20:17 . 2005-03-03 20:08 -------- d-----w- c:\program files\Common Files\Lacerte Shared
2010-02-27 16:44 . 2008-01-26 22:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-27 16:29 . 2007-09-15 19:19 26832 ----a-w- c:\documents and settings\Craig.HUGHHEINECKECPA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 16:22 . 2010-01-04 20:18 -------- d-----w- c:\program files\Microsoft
2010-02-24 17:51 . 2007-05-31 19:58 -------- d-----w- c:\program files\Unlocker
2010-01-14 14:34 . 2010-01-14 14:34 -------- d-----w- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\webex
2010-01-04 20:19 . 2010-01-04 20:19 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 19:55 . 2009-12-28 19:55 10134 ----a-r- c:\documents and settings\Craig.HUGHHEINECKECPA\Application Data\Microsoft\Installer\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}\ARPPRODUCTICON.exe
2009-12-21 19:14 . 2004-08-04 11:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 11:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2004-08-04 11:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 11:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_19.40.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-01 17:23 . 2010-03-01 17:23 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Updates Scheduler"="c:\program files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE" [2010-02-24 98304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-25 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2004-10-25 1111552]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 394952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R2 fssfltr;FssFltr;c:\windows\SYSTEM32\DRIVERS\fssfltr_tdi.sys [2/27/2010 10:27 AM 54752]
R2 MSSQL$LACERTEDB;MSSQL$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB [?]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [5/22/2007 12:34 PM 36368]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [5/22/2007 12:34 PM 225808]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB --> c:\program files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2005-03-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\OOBEBALN.EXE [2004-08-04 00:12]

2010-03-01 c:\windows\Tasks\User_Feed_Synchronization-{FCB8F879-BB07-4A66-A8C7-2697C05A457F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-03-01 11:50:18
ComboFix-quarantined-files.txt 2010-03-01 17:50
ComboFix2.txt 2010-02-28 19:43
ComboFix3.txt 2010-02-27 17:11
ComboFix4.txt 2010-02-27 15:49

Pre-Run: 20,430,028,800 bytes free
Post-Run: 20,380,430,336 bytes free

- - End Of File - - E11A3540FE85A4E9EEE4A8F7A1A2A4D0
Upload was successful


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:05 AM

Posted 01 March 2010 - 03:44 PM

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


Then please post back here with the following logs:
  • MBAM log
  • log.txt
  • info.txt

Thanks

unite.jpg


#12 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 01 March 2010 - 04:39 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3811
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/1/2010 2:59:16 PM
mbam-log-2010-03-01 (14-59-16).txt

Scan type: Quick Scan
Objects scanned: 166258
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Craig.HUGHHEINECKECPA\Application Data\Microsoft\Internet Explorer\Quick Launch\Total PC Defender.lnk (Rogue.TotalPCDefender) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\awttrro.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\byxwwvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddcbxyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Craig at 2010-03-01 15:08:15
Microsoft Windows XP Professional Service Pack 3
System drive C: has 19 GB (55%) free of 35 GB
Total RAM: 510 MB (22% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:30 PM, on 3/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\TEMP\VZBB51.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\Pop3Trap.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\ctfmon.exe
E:\RSIT.exe
C:\Program Files\trend micro\Craig.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Updates Scheduler] C:\Program Files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1262128005192
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1262127996895
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://trendmicro.webex.com/client/v_myweb...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hughheineckecpa.local
O17 - HKLM\Software\..\Telephony: DomainName = hughheineckecpa.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hughheineckecpa.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hughheineckecpa.local
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

--
End of file - 8175 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{FCB8F879-BB07-4A66-A8C7-2697C05A457F}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-08-17 343112]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"OSCD_Creator"=c:\Dell\PreODM.EXE [2004-10-31 408576]
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [2003-09-03 221184]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2005-02-24 26112]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-02-24 98304]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2004-10-25 1111552]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"OfficeScanNT Monitor"=C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe [2007-03-29 394952]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"OSCD_Creator"=C:\Dell\PreODM.EXE [2004-10-31 408576]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"Updates Scheduler"=C:\Program Files\Common Files\Lacerte Shared\Update Scheduler\UpdSched.EXE [2010-02-23 98304]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:Windows Explorer"
"C:\WINDOWS\SYSTEM32\logon.scr"="C:\WINDOWS\SYSTEM32\logon.scr:*:Enabled:logon"
"C:\WINDOWS\SYSTEM32\rundll32.exe"="C:\WINDOWS\SYSTEM32\rundll32.exe:*:Enabled:rundll32"
"C:\WINDOWS\SYSTEM32\winlogon.exe"="C:\WINDOWS\SYSTEM32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\SYSTEM32\lsass.exe"="C:\WINDOWS\SYSTEM32\lsass.exe:*:Enabled:lsass"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2010-03-01 15:08:15 ----D---- C:\rsit
2010-03-01 14:51:24 ----D---- C:\Documents and Settings\Craig.HUGHHEINECKECPA\Application Data\Malwarebytes
2010-03-01 14:51:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-01 14:51:15 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-01 11:50:19 ----A---- C:\ComboFix.txt
2010-02-27 11:34:35 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-27 11:25:15 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2010-02-27 10:41:33 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-27 10:41:16 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-27 10:41:00 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-27 10:40:43 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-27 10:40:23 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-27 10:39:08 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-27 10:38:47 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-27 10:38:21 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-27 10:37:58 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-27 10:37:21 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-27 10:30:23 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-02-27 10:27:45 ----D---- C:\Program Files\Microsoft Office Outlook Connector
2010-02-27 10:27:14 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-02-27 10:26:27 ----D---- C:\Program Files\Microsoft Sync Framework
2010-02-27 10:25:25 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2010-02-27 10:25:14 ----D---- C:\Program Files\Microsoft SQL Server Compact Edition
2010-02-27 10:24:54 ----HDC---- C:\WINDOWS\$NtUninstallKB954708$
2010-02-27 10:22:36 ----D---- C:\Program Files\Windows Live SkyDrive
2010-02-27 10:22:03 ----D---- C:\Program Files\Windows Live
2010-02-27 09:27:03 ----A---- C:\Boot.bak
2010-02-27 09:26:55 ----RASHD---- C:\cmdcons
2010-02-27 09:25:51 ----A---- C:\WINDOWS\zip.exe
2010-02-27 09:25:51 ----A---- C:\WINDOWS\SWREG.exe
2010-02-27 09:25:51 ----A---- C:\WINDOWS\sed.exe
2010-02-27 09:25:51 ----A---- C:\WINDOWS\PEV.exe
2010-02-27 09:25:51 ----A---- C:\WINDOWS\NIRCMD.exe
2010-02-27 09:25:51 ----A---- C:\WINDOWS\MBR.exe
2010-02-27 09:25:51 ----A---- C:\WINDOWS\grep.exe
2010-02-27 09:25:50 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-02-27 09:25:50 ----A---- C:\WINDOWS\SWSC.exe
2010-02-27 09:24:19 ----D---- C:\WINDOWS\ERDNT
2010-02-27 09:23:39 ----D---- C:\Qoobox
2010-02-25 22:05:18 ----A---- C:\WINDOWS\DCEBoot.exe
2010-02-23 14:43:22 ----A---- C:\WINDOWS\cfgspyps.ini
2010-02-23 14:43:22 ----A---- C:\WINDOWS\cfgps.ini

======List of files/folders modified in the last 1 months======

2010-03-01 15:08:30 ----D---- C:\Program Files\Trend Micro
2010-03-01 15:03:10 ----D---- C:\WINDOWS\Temp
2010-03-01 15:02:44 ----A---- C:\WINDOWS\ModemLog_Intel® 537EP Modem.txt
2010-03-01 15:02:21 ----D---- C:\WINDOWS\system32\DRIVERS
2010-03-01 15:01:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-01 15:01:39 ----D---- C:\Config.Msi
2010-03-01 15:01:32 ----HDC---- C:\WINDOWS\$NtUninstallKB924191$
2010-03-01 14:59:16 ----RD---- C:\Program Files
2010-03-01 14:59:16 ----D---- C:\WINDOWS\SYSTEM32
2010-03-01 14:51:45 ----SHD---- C:\WINDOWS\Installer
2010-03-01 14:51:20 ----D---- C:\WINDOWS\Prefetch
2010-03-01 11:47:35 ----N---- C:\WINDOWS\system.ini
2010-03-01 11:47:35 ----D---- C:\WINDOWS
2010-03-01 11:44:58 ----D---- C:\WINDOWS\AppPatch
2010-03-01 11:44:51 ----D---- C:\Program Files\Common Files
2010-03-01 11:40:37 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-01 11:30:37 ----D---- C:\WINDOWS\SECURITY
2010-03-01 11:29:01 ----A---- C:\WINDOWS\cfgall.ini
2010-02-27 14:17:24 ----D---- C:\Program Files\Common Files\Lacerte Shared
2010-02-27 12:47:32 ----D---- C:\WINDOWS\Microsoft.NET
2010-02-27 12:47:10 ----RSD---- C:\WINDOWS\ASSEMBLY
2010-02-27 11:57:49 ----A---- C:\WINDOWS\WTAXSYNC.INI
2010-02-27 11:34:47 ----HD---- C:\WINDOWS\INF
2010-02-27 11:32:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-02-27 11:31:40 ----D---- C:\WINDOWS\WinSxS
2010-02-27 11:27:08 ----A---- C:\WINDOWS\imsins.BAK
2010-02-27 11:27:04 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2010-02-27 11:27:01 ----D---- C:\WINDOWS\ie8updates
2010-02-27 11:26:56 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-27 11:16:58 ----SD---- C:\Documents and Settings\Craig.HUGHHEINECKECPA\Application Data\Microsoft
2010-02-27 10:44:54 ----D---- C:\Program Files\Microsoft Silverlight
2010-02-27 10:38:08 ----D---- C:\WINDOWS\system32\CatRoot
2010-02-27 10:31:48 ----D---- C:\Program Files\Internet Explorer
2010-02-27 10:26:14 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-02-27 10:25:26 ----D---- C:\WINDOWS\system32\DirectX
2010-02-27 10:22:50 ----D---- C:\Program Files\Microsoft
2010-02-27 10:22:10 ----RSD---- C:\WINDOWS\Fonts
2010-02-27 09:48:07 ----SD---- C:\WINDOWS\Tasks
2010-02-27 09:36:31 ----D---- C:\WINDOWS\system32\CONFIG
2010-02-27 09:34:14 ----D---- C:\Temp
2010-02-27 09:27:03 ----RASH---- C:\BOOT.INI
2010-02-27 09:25:47 ----SHD---- C:\System Volume Information
2010-02-27 09:25:47 ----D---- C:\WINDOWS\system32\Restore
2010-02-26 03:19:42 ----A---- C:\WINDOWS\UpdSched.INI
2010-02-24 13:38:42 ----D---- C:\WINDOWS\network diagnostic
2010-02-24 13:28:21 ----D---- C:\WINDOWS\Registration
2010-02-24 11:52:50 ----SHD---- C:\WINDOWS\CSC
2010-02-24 11:51:53 ----D---- C:\Program Files\Unlocker
2010-02-24 11:46:32 ----D---- C:\WINDOWS\system32\appmgmt
2010-02-24 11:29:29 ----A---- C:\WINDOWS\WIN.INI
2010-02-23 14:51:58 ----A---- C:\WINDOWS\cfgspyms.ini
2010-02-23 14:51:57 ----A---- C:\WINDOWS\cfgms.ini
2010-02-23 14:51:43 ----A---- C:\WINDOWS\cfgrs_ex.ini
2010-02-23 14:51:43 ----A---- C:\WINDOWS\cfgrs.ini
2010-02-23 10:05:38 ----A---- C:\WINDOWS\ntbtlog.txt
2010-02-21 16:06:02 ----A---- C:\WINDOWS\w08tax.ini
2010-02-21 15:57:53 ----A---- C:\WINDOWS\lacerte.ini
2010-02-18 10:37:38 ----A---- C:\WINDOWS\LTBUI08.INI
2010-02-18 10:37:23 ----A---- C:\WINDOWS\TaxSetup.INI
2010-02-05 09:31:41 ----A---- C:\WINDOWS\W06Tax.ini
2010-02-05 09:27:05 ----A---- C:\WINDOWS\W05Tax.ini
2010-02-04 10:54:15 ----A---- C:\WINDOWS\w07tax.ini
2010-02-02 12:28:03 ----A---- C:\WINDOWS\W04Tax.INI
2010-02-02 12:27:42 ----A---- C:\WINDOWS\W03Tax.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2005-02-24 8552]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-08-05 54752]
R2 TM_CFW;Common Firewall Driver; \??\C:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys []
R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys []
R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys []
R3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2004-12-04 1348480]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2006-06-27 625280]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2004-12-04 54144]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mohfilt;mohfilt; C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2004-12-04 36816]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-10-29 260096]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\CRAIG~1.HUG\LOCALS~1\Temp\catchme.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
R2 MSSQL$LACERTEDB;MSSQL$LACERTEDB; C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe [2002-12-17 7520337]
R2 ntrtscan;Trend Micro Client/Server Security Agent RealTime Scan; C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [2007-03-29 603856]
R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall; C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe [2007-03-29 282704]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 tmlisten;Trend Micro Client/Server Security Agent Listener; C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [2007-03-29 685776]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 fsssvc;Windows Live Family Safety Service; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2003-12-17 143360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB; C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-03-01 15:08:33

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2003 Lacerte Tax-->C:\Lacerte\03tax\W03UNINS.EXE
2004 Lacerte Tax-->C:\Lacerte\04TAX\W04UNINS.EXE
2005 Lacerte Tax Planner-->C:\Lacerte\05taxpln\W05UNINS.EXE
2005 Lacerte Tax-->C:\Lacerte\05tax\W05UNINS.EXE
2006 Lacerte Tax-->C:\Lacerte\06tax\W06UNINS.EXE
2007 Lacerte Tax-->C:\Lacerte\07tax\W07UNINS.EXE
2008 Lacerte Tax-->C:\Lacerte\08tax\W08UNINS.EXE
2009 Lacerte Tax-->C:\Lacerte\09TAX\W09UNINS.EXE
Adobe Atmosphere Player for Acrobat and Adobe Reader-->C:\WINDOWS\atmoUn.exe
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Banctec Service Agreement-->MsiExec.exe /X{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Document eSort Components-->MsiExec.exe /X{0886254D-ACC4-43FD-91FB-E96CF9AB91C1}
Domainname.com Optimizer-->C:\WINDOWS\system32\uninstall_collector.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Intel® 537EP Modem-->rundll32 IntelCdi.dll,iSMUninstallation "Intel® 537EP Modem"
Intel® 537EP V9x DF PCI Modem-->rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Intel® PRO Network Adapters and Drivers-->Prounstl.exe
Intel® PROSet for Wired Connections-->MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
Internet Explorer Default Page-->MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Intuit Runtime Components 6.0.16-->MsiExec.exe /X{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Lacerte Runtime Components-->MsiExec.exe /X{7FEE267E-003F-43B0-95D2-534D4213D4BA}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Live Add-in 1.4-->MsiExec.exe /I{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}
Microsoft Office Outlook 2003-->MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0122-0409-0000-0000000FF1CE}
Microsoft Office XP Professional-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer-->MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE-->MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Search Enhancement Pack-->MsiExec.exe /X{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server Desktop Engine (LACERTEDB)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Event Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
My Way Search Assistant-->rundll32 C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll,O
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Shadow Copy Client-->MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Trend Micro Client/Server Security Agent-->"C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe"
TValue 5-->F:\TValue5\UNWISE.EXE F:\TValue5\INSTALL.LOG
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Windows (KB971513)-->"C:\WINDOWS\$NtUninstallKB971513$\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB978506)-->"C:\WINDOWS\ie8updates\KB978506-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
WebEx-->C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Family Safety-->MsiExec.exe /X{139E303E-1050-497F-98B1-9AE87B15C463}
Windows Live ID Sign-in Assistant-->MsiExec.exe /X{10A44844-4465-456E-8C97-80BDD4F68845}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows PowerShell™ 1.0 MUI pack-->"C:\WINDOWS\$NtUninstallKB926141$\spuninst\spuninst.exe"
Windows PowerShell™ 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Security center information======

AV: Trend Micro Client-Server Security Agent AntiVirus
FW: Trend Micro Client-Server Security Agent Firewall (disabled)

======System event log======

Computer Name: CRAIG2
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00132006875D. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 24468
Source Name: Dhcp
Time Written: 20090826141059.000000-300
Event Type: warning
User:

Computer Name: CRAIG2
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00132006875D. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 24464
Source Name: Dhcp
Time Written: 20090825201052.000000-300
Event Type: warning
User:

Computer Name: CRAIG2
Event Code: 20
Message: Printer Driver HP LaserJet 4Si for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPLJ4SI.GPD, UNIDRV.HLP, PCL5ERES.DLL, UNIRES.DLL, TTFSUB.GPD, STDNAMES.GPD.

Record Number: 24460
Source Name: Print
Time Written: 20090824152932.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: CRAIG2
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00132006875D. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 24456
Source Name: Dhcp
Time Written: 20090824081037.000000-300
Event Type: warning
User:

Computer Name: CRAIG2
Event Code: 20
Message: Printer Driver HP LaserJet 4Si for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPLJ4SI.GPD, UNIDRV.HLP, PCL5ERES.DLL, UNIRES.DLL, TTFSUB.GPD, STDNAMES.GPD.

Record Number: 24452
Source Name: Print
Time Written: 20090820142738.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: CRAIG2
Event Code: 1001
Message: Detection of product '{E09B48B5-E141-427A-AB0C-D3605127224A}', feature 'SqlRun' failed during request for component '{436D7A23-36BE-11D2-ACBB-0080C7FCBB84}'

Record Number: 6768
Source Name: MsiInstaller
Time Written: 20100111103132.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: CRAIG2
Event Code: 1004
Message: Detection of product '{E09B48B5-E141-427A-AB0C-D3605127224A}', feature 'SqlRun', component '{072BBB16-FE7A-405F-BBCC-54622D21CE3A}' failed. The resource 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft SQL Server\80\Tools\Service Manager\' does not exist.

Record Number: 6767
Source Name: MsiInstaller
Time Written: 20100111103132.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: CRAIG2
Event Code: 11706
Message: Product: Microsoft SQL Server Desktop Engine -- Error 1706. An installation package for the product Microsoft SQL Server Desktop Engine cannot be found. Try the installation again using a valid copy of the installation package 'SqlRun01.msi'.

Record Number: 6765
Source Name: MsiInstaller
Time Written: 20100111103131.000000-360
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: CRAIG2
Event Code: 1001
Message: Detection of product '{E09B48B5-E141-427A-AB0C-D3605127224A}', feature 'SqlRun' failed during request for component '{436D7A23-36BE-11D2-ACBB-0080C7FCBB84}'

Record Number: 6764
Source Name: MsiInstaller
Time Written: 20100111103049.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: CRAIG2
Event Code: 1004
Message: Detection of product '{E09B48B5-E141-427A-AB0C-D3605127224A}', feature 'SqlRun', component '{072BBB16-FE7A-405F-BBCC-54622D21CE3A}' failed. The resource 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft SQL Server\80\Tools\Service Manager\' does not exist.

Record Number: 6763
Source Name: MsiInstaller
Time Written: 20100111103049.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=1
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%CommonProgramFiles%\Microsoft Shared\Windows Live;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0401
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:05 AM

Posted 01 March 2010 - 05:37 PM

Your logs look fine to me now smile.gif

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

unite.jpg


#14 Pam Heinecke

Pam Heinecke
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 01 March 2010 - 06:50 PM

Hi Syler,
Thank you for all of your great help. My husband has mada a donation to your site. His name is Hugh Heinecke and he owns our firm.

We are seriously considering purchasing the spyware software that you recommend for our office and will make that decision very soon.

My best,
Pam Heinecke

#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:05 AM

Posted 03 March 2010 - 09:30 AM

Your very welcome smile.gif

I think Malwarebytes would be a very good choice it is definitely one of the best AntiMalware scanners, if not the best
and it also has a nice IP blocking feature.

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users