Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c


  • This topic is locked This topic is locked
17 replies to this topic

#1 nultylynch

nultylynch

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 29 May 2007 - 07:33 AM

Both Housecall and bitdefender say my computer is clean. But Spybot says it's still there. Plus I am getting all kinds of random popups. Any help would be greatly appreciated. Thanks in advance for any help. My tech support's version of repair is reformat. Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:29 AM, on 5/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Compaq\Compaq Management

Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\??stem32\s?chost.exe
C:\Program Files\CCH\AtHand\Desktop\Bin\Binnacle.exe
C:\Program Files\Common

Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,AutoConfigURL =

http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = rivproxy.cch.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *cch.com;*.cchgroup.com;<local>
F2 - REG:system.ini:

UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SNOWNOI

T.EXE,
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: COM+ Service -

{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} -

C:\WINDOWS\System32\winload.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F}

- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7CDD57C8-8404-4296-A81E-6B6B373C2AE4}

- (no file)
O2 - BHO: (no name) - {8D78575B-2BEA-41B5-813A-422B19EE8AD0}

- (no file)
O2 - BHO: CabinBoy IE BHO -

{9A8A89B3-1EED-4cc0-B50C-51D6ED71D5D2} - mscoree.dll (file

missing)
O2 - BHO: IE Redirector -

{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CCH@Hand -

{b8d08682-1259-47fe-a309-fefd1dbda42a} - mscoree.dll (file

missing)
O4 - HKLM\..\Run: [Configure Proxy Settings]

C:\WINDOWS\system32\wscript.exe

C:\WINDOWS\system32\autoprxy.vbs
O4 - HKLM\..\Run: [ChkAdmin]

C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [User First Logon Init Script]

C:\WINDOWS\system32\wscript.exe

C:\WINDOWS\system32\userinit.vbe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program

Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RunOnce2Upd]

"C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]

C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [ms067267209433]

C:\WINDOWS\ms067267209433.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Smsi]

"C:\WINDOWS\System32\ICROSO~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [Quhmeu] C:\WINDOWS\??stem32\s?chost.exe
O4 - HKCU\..\Run: [Service Pack 1]

C:\WINDOWS\System32\vexg6ame4.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program

Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [msnfo32s] C:\WINDOWS\msnfo32s.exe
O4 - Startup: TA_Start.lnk = C:\Documents and

Settings\molendad\Desktop\TICHD001.exe
O4 - Global Startup: CCH@Hand Desktop Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search highlighted text on &IRN

- file:///C:\Program

Files\cch\athand\desktop\bin\SearchIRN.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) -

{85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online

Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://inview.cch.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend

Micro ActiveX Scan Agent 6.6) -

http://eu-housecall.trendmicro-europe.com/...ecall/applet/ht

ml/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA

Client) -

http://a516.g.akamai.net/f/516/25175/7d/ru...re.download.aka

mai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {2545AD70-870A-11D3-8961-0008C71A43C9} (TIFFView

Class) -

http://tax.cchgroup.com/primesrc/apps/tiff/npcchtif.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec

AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...nt/vc/bin/AvSni

ff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://software-dl.real.com/27f2a2fbcf9d92...22/netzip/RdxIE

601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}

(BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...5Controls/en/x8

6/client/wuweb_site.cab?1122398466057
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec

RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...nt/common/bin/c

absa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail

Class) -

https://www323.livemeeting.com/etc/static/W...apid1/2006-07-1

4-19-00-40/MailObjects.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

na.wkglobal.com
O17 - HKLM\Software\..\Telephony: DomainName =

na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

na.wkglobal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =

na.wkglobal.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =

cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

cch.com,na.wkglobal.com,aspenpubl.com
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon -

C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and

Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: wintli32 - wintli32.dll (file missing)
O21 - SSODL: zkwrAKFpAkAQK -

{7CD50CF4-D67F-A65E-3BD6-88288800894C} - (no file)
O23 - Service: Insight Local Alerter (CPQALERT) -

Hewlett-Packard Company - C:\Program Files\Compaq\Compaq

Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation -

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher

(DefWatch) - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp -

C:\Notes\ntmulti.exe
O23 - Service: Net Agent - Unknown owner -

C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: OracleClientCache80 - Unknown owner -

C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program

Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -

C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) -

Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program

Files\Compaq\Compaq Management

Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner -

C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file

missing)
O23 - Service: WK Endpoint (WKEndpoint) - BMC Software, Inc.

- C:\program files\marimba\tuner\Tuner.exe

Edited by nultylynch, 29 May 2007 - 07:34 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 29 May 2007 - 09:04 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nultylynch :thumbsup:

The current formatting of your log makes it difficult to read/evaluate.
Open 'Notepad',click on 'Format' at the top,then uncheck 'Word Wrap' if it's checked.

Once you've done that,restart your pc and post a new Hijackthis log into your next reply.
Posted Image
Posted Image

#3 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 29 May 2007 - 09:48 AM

Here's the new log. I had to run it from safe mode...I'm getting the following stop error:

STOP: 0X0000008E (0XC0000005,0X44544547,0XF89DCCF0,0X00000000)

Then memory dump, etc, etc....

Again, thanks for any help.

Here's the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:50 AM, on 5/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rivproxy.cch.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *cch.com;*.cchgroup.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SNOWNOIT.EXE,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\System32\winload.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7CDD57C8-8404-4296-A81E-6B6B373C2AE4} - (no file)
O2 - BHO: (no name) - {8D78575B-2BEA-41B5-813A-422B19EE8AD0} - (no file)
O2 - BHO: CabinBoy IE BHO - {9A8A89B3-1EED-4cc0-B50C-51D6ED71D5D2} - mscoree.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CCH@Hand - {b8d08682-1259-47fe-a309-fefd1dbda42a} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Configure Proxy Settings] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\autoprxy.vbs
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [User First Logon Init Script] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\userinit.vbe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [ms067267209433] C:\WINDOWS\ms067267209433.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Smsi] "C:\WINDOWS\System32\ICROSO~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [Quhmeu] C:\WINDOWS\??stem32\s?chost.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vexg6ame4.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [msnfo32s] C:\WINDOWS\msnfo32s.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\molendad\Desktop\TICHD001.exe
O4 - Global Startup: CCH@Hand Desktop Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search highlighted text on &IRN - file:///C:\Program Files\cch\athand\desktop\bin\SearchIRN.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://inview.cch.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2545AD70-870A-11D3-8961-0008C71A43C9} (TIFFView Class) - http://tax.cchgroup.com/primesrc/apps/tiff/npcchtif.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27f2a2fbcf9d92...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122398466057
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - https://www323.livemeeting.com/etc/static/W...MailObjects.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\Software\..\Telephony: DomainName = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: wintli32 - wintli32.dll (file missing)
O21 - SSODL: zkwrAKFpAkAQK - {7CD50CF4-D67F-A65E-3BD6-88288800894C} - (no file)
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WK Endpoint (WKEndpoint) - BMC Software, Inc. - C:\program files\marimba\tuner\Tuner.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 29 May 2007 - 10:12 AM

Please make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*********************

In safe mode find and delete the following if present:

C:\WINDOWS\SNOWNOIT.EXE
C:\WINDOWS\System32\winload.dll
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\vexg6ame4.exe
C:\WINDOWS\msnfo32s.exe
C:\Documents and Settings\molendad\Desktop\TICHD001.exe
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Program Files\pasystem

Restart your pc,post a new Hijackthis log in your next reply.
Let me know whats happening now please.
Posted Image
Posted Image

#5 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 29 May 2007 - 10:46 AM

Well, Snownoit, vexg6ame4 & tichd001 were not on the system. winsys2f is where you said it would be, but the computer will not let me delete it. It says that it is in use. What system to I need to shut down to delete it?

Thanks,

Here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:41:47 AM, on 5/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rivproxy.cch.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *cch.com;*.cchgroup.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SNOWNOIT.EXE,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\System32\winload.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7CDD57C8-8404-4296-A81E-6B6B373C2AE4} - (no file)
O2 - BHO: (no name) - {8D78575B-2BEA-41B5-813A-422B19EE8AD0} - (no file)
O2 - BHO: CabinBoy IE BHO - {9A8A89B3-1EED-4cc0-B50C-51D6ED71D5D2} - mscoree.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CCH@Hand - {b8d08682-1259-47fe-a309-fefd1dbda42a} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Configure Proxy Settings] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\autoprxy.vbs
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [User First Logon Init Script] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\userinit.vbe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ms067267209433] C:\WINDOWS\ms067267209433.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Smsi] "C:\WINDOWS\System32\ICROSO~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [Quhmeu] C:\WINDOWS\??stem32\s?chost.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vexg6ame4.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\molendad\Desktop\TICHD001.exe
O4 - Global Startup: CCH@Hand Desktop Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search highlighted text on &IRN - file:///C:\Program Files\cch\athand\desktop\bin\SearchIRN.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://inview.cch.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2545AD70-870A-11D3-8961-0008C71A43C9} (TIFFView Class) - http://tax.cchgroup.com/primesrc/apps/tiff/npcchtif.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27f2a2fbcf9d92...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122398466057
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - https://www323.livemeeting.com/etc/static/W...MailObjects.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\Software\..\Telephony: DomainName = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: wintli32 - wintli32.dll (file missing)
O21 - SSODL: zkwrAKFpAkAQK - {7CD50CF4-D67F-A65E-3BD6-88288800894C} - (no file)
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WK Endpoint (WKEndpoint) - BMC Software, Inc. - C:\program files\marimba\tuner\Tuner.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 29 May 2007 - 10:58 AM

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

***********************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
* Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 29 May 2007 - 12:45 PM

Here are the logs you asked for. Thanks again.

BitDefender Log:

BitDefender Online Scanner



Scan report generated at: Tue, May 29, 2007 - 12:43:36





Scan path: A:\;C:\;D:\;







Statistics

Time
00:43:10

Files
332464

Folders
3642

Boot Sectors
2

Archives
1077

Packed Files
42770




Results

Identified Viruses
2

Infected Files
3

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
3




Engines Info

Virus Definitions
509246

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\RECYCLER\S-1-5-21-702074188-2833732907-241959117-30718\Dc1.exe
Infected with: DeepScan:Generic.Malware.SMYddldoe.F6B2BFD8

C:\RECYCLER\S-1-5-21-702074188-2833732907-241959117-30718\Dc1.exe
Disinfection failed

C:\RECYCLER\S-1-5-21-702074188-2833732907-241959117-30718\Dc1.exe
Deleted

C:\WINDOWS\system32\klikalka.exe
Infected with: Trojan.Clicker.Small.YA

C:\WINDOWS\system32\klikalka.exe
Disinfection failed

C:\WINDOWS\system32\klikalka.exe
Deleted

C:\WINDOWS\temp\win2944.tmp
Infected with: DeepScan:Generic.Malware.SMYddldoe.F6B2BFD8

C:\WINDOWS\temp\win2944.tmp
Disinfection failed

C:\WINDOWS\temp\win2944.tmp
Deleted















DrWeb Log:

winvnc.exe;c:\program files\realvnc\winvnc;Program.RemoteAdmin;;
spoolsvv.sys;c:\windows\system32;Trojan.NtRootKit.249;Deleted.;
Process.exe;C:\Documents and Settings\molendad\Desktop\smitfraudfix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\molendad\Desktop\smitfraudfix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\Documents and Settings\molendad\Desktop\smitrem2\smitRem;Tool.Prockill;Incurable.Moved.;
psdriver.exe;C:\Program Files\psdriver;Trojan.Click.2300;Deleted.;
vncviewer.exe;C:\Program Files\RealVNC;Program.RemoteAdmin;;
vnchooks.dll;C:\Program Files\RealVNC\WinVNC;Program.RemoteAdmin;;
winvnc.exe;C:\Program Files\RealVNC\WinVNC;Program.RemoteAdmin;;
installer.exe;C:\WINDOWS;Trojan.PWS.Tanspy;Deleted.;
update.exe;C:\WINDOWS;Trojan.PWS.Tanspy;Deleted.;
ipv6monr.dll;C:\WINDOWS\system32;Trojan.PWS.Tanspy;Deleted.;
startdrv.exe;C:\WINDOWS\temp;BackDoor.Bulknet;Deleted.;

Latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:38:37 PM, on 5/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\??stem32\s?chost.exe
C:\Program Files\CCH\AtHand\Desktop\Bin\Binnacle.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rivproxy.cch.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *cch.com;*.cchgroup.com;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SNOWNOIT.EXE,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\System32\winload.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7CDD57C8-8404-4296-A81E-6B6B373C2AE4} - (no file)
O2 - BHO: (no name) - {8D78575B-2BEA-41B5-813A-422B19EE8AD0} - (no file)
O2 - BHO: CabinBoy IE BHO - {9A8A89B3-1EED-4cc0-B50C-51D6ED71D5D2} - mscoree.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: CCH@Hand - {b8d08682-1259-47fe-a309-fefd1dbda42a} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Configure Proxy Settings] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\autoprxy.vbs
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [User First Logon Init Script] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\userinit.vbe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ms067267209433] C:\WINDOWS\ms067267209433.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Smsi] "C:\WINDOWS\System32\ICROSO~1\spoolsv.exe" -vt ndrv
O4 - HKCU\..\Run: [Quhmeu] C:\WINDOWS\??stem32\s?chost.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vexg6ame4.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\molendad\Desktop\TICHD001.exe
O4 - Global Startup: CCH@Hand Desktop Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search highlighted text on &IRN - file:///C:\Program Files\cch\athand\desktop\bin\SearchIRN.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://inview.cch.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2545AD70-870A-11D3-8961-0008C71A43C9} (TIFFView Class) - http://tax.cchgroup.com/primesrc/apps/tiff/npcchtif.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27f2a2fbcf9d92...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122398466057
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - https://www323.livemeeting.com/etc/static/W...MailObjects.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\Software\..\Telephony: DomainName = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: wintli32 - wintli32.dll (file missing)
O21 - SSODL: zkwrAKFpAkAQK - {7CD50CF4-D67F-A65E-3BD6-88288800894C} - (no file)
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WK Endpoint (WKEndpoint) - BMC Software, Inc. - C:\program files\marimba\tuner\Tuner.exe

Edited by nultylynch, 29 May 2007 - 12:46 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 29 May 2007 - 04:03 PM

Click on Start/Run,then type regedit then press Ok.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Double click on the key 'Winlogon'.
In the right hand side window scroll down to,then double click on the value "Userinit".

In the opening 'Edit String' box,edit the following 'Value data' from:
C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\SNOWNOIT.EXE,

To,and including the comma on the end:
C:\WINDOWS\system32\userinit.exe,

Press Ok when you've done,exit regedit,restart your pc.

****************************

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Documents and Settings\All Users\Documents\Settings\bot.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

****************************

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Net Agent
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

****************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\System32\winload.dll (file missing)
O2 - BHO: (no name) - {7CDD57C8-8404-4296-A81E-6B6B373C2AE4} - (no file)
O2 - BHO: (no name) - {8D78575B-2BEA-41B5-813A-422B19EE8AD0} - (no file)
O2 - BHO: CabinBoy IE BHO - {9A8A89B3-1EED-4cc0-B50C-51D6ED71D5D2} - mscoree.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: CCH@Hand - {b8d08682-1259-47fe-a309-fefd1dbda42a} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vexg6ame4.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\molendad\Desktop\TICHD001.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {2545AD70-870A-11D3-8961-0008C71A43C9} (TIFFView Class) - http://tax.cchgroup.com/primesrc/apps/tiff/npcchtif.cab
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: wintli32 - wintli32.dll (file missing)
O21 - SSODL: zkwrAKFpAkAQK - {7CD50CF4-D67F-A65E-3BD6-88288800894C} - (no file)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)


Fix all/any of the following entries you don't recognise with Hijackthis:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
O4 - HKLM\..\Run: [Configure Proxy Settings] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\autoprxy.vbs
O4 - HKLM\..\Run: [User First Logon Init Script] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\userinit.vbe
O8 - Extra context menu item: Search highlighted text on &IRN - file:///C:\Program Files\cch\athand\desktop\bin\SearchIRN.htm

Exit Hijackthis.

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

***************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT:*
Do NOT run any other options until you are asked to do so!

***************************

Post the AVG Anti Spyware report,the SmitfraudFix report,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#9 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2007 - 08:48 AM

Sorry about the delay, was home sick yesterday :thumbsup:

Thanks again for all the help.


Smitfraud report:

SmitFraudFix v2.189

Scan done at 9:40:37.55, Thu 05/31/2007
Run from C:\Documents and Settings\molendad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CCH\AtHand\Desktop\Bin\Binnacle.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\molendad


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\molendad\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\molendad\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}"="COM+ Service"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
DNS Server Search Order: 165.181.122.52
DNS Server Search Order: 165.181.60.133

HKLM\SYSTEM\CCS\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS2\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS3\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=165.181.122.52 165.181.60.133


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



AVG Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:33:09 AM 5/31/2007

+ Scan result:



C:\WINDOWS\ѕуstem32\sνchost.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\UNR799LB\popuper[1].exe -> Downloader.Agent.bpi : Cleaned with backup (quarantined).
C:\WINDOWS\ibkntkri.exe -> Downloader.Small.emw : Cleaned with backup (quarantined).
C:\WINDOWS\temp\startdrv.exe -> Dropper.Agent.bie : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msorcl32.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).
C:\WINDOWS\drv.sys -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\asyncmac.sys -> Not-A-Virus.Hoax.Win32.Renos.hr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\spoolsvv.sys -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\WINDOWS\temp\win44D1.tmp -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\Documents and Settings\All Users\Documents\Settings\bot.dll -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\Documents and Settings\All Users\Documents\Settings\winsys2f.dll -> Proxy.Xorpix.ba : Cleaned with backup (quarantined).
C:\Documents and Settings\molendad\Cookies\david.molenda@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@saxosouthbend.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@ehg-hollywoodmedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\molendad\Cookies\david.molenda@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\wtsicomsv.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:46 AM, on 5/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CCH\AtHand\Desktop\Bin\Binnacle.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rivproxy.cch.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *cch.com;*.cchgroup.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Configure Proxy Settings] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\autoprxy.vbs
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [User First Logon Init Script] C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\userinit.vbe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ms067267209433] C:\WINDOWS\ms067267209433.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Smsi] "C:\WINDOWS\System32\ICROSO~1\spoolsv.exe" -vt ndrv
O4 - Global Startup: CCH@Hand Desktop Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search highlighted text on &IRN - file:///C:\Program Files\cch\athand\desktop\bin\SearchIRN.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://inview.cch.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27f2a2fbcf9d92...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122398466057
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - https://www323.livemeeting.com/etc/static/W...MailObjects.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\Software\..\Telephony: DomainName = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WK Endpoint (WKEndpoint) - BMC Software, Inc. - C:\program files\marimba\tuner\Tuner.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 31 May 2007 - 09:24 AM

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#11 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2007 - 09:38 AM

combifix log:

"david.molenda" - 2007-05-31 10:22:57 Service Pack 1
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\molendad\Desktop\"

ADS removed - system32: deleted 78580 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\Duce6.exe"
"C:\WINDOWS\system32\0_exception.nls"
"C:\WINDOWS\system32\dlh9jkd1q8.exe"
"C:\WINDOWS\system32\RunOnce2.t__"
"C:\Documents and Settings\All Users.\documents\settings\desktop.ini"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\Temp\17O7\tmpTF.log"
"C:\WINDOWS\system32\spoolsvv.exe"
"C:\WINDOWS\iexplore.dll"
"C:\WINDOWS\system32.dll"
"C:\WINDOWS\system32\windev-peers.ini"
"C:\WINDOWS\system32\mt_32.dll"
"C:\WINDOWS\rau001978.exe"
"C:\WINDOWS\cs_cache.ini"
"C:\Documents and Settings\All Users.\documents\settings"
"C:\Program Files\outerinfo"
"C:\WINDOWS\system32\smpi1"
"C:\Temp\17O7"
"C:\WINDOWS\system32\drivers\runtime2.sys"

-- Purity Folders:

C:\WINDOWS\system32\YMBOLS~1
C:\WINDOWS\system32\ICROSO~1
C:\WINDOWS\STEM32~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DRIVER
-------\LEGACY_NDNET1
-------\LEGACY_NET_AGENT
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_WINCOM32
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Driver
-------\Net Agent


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))


2007-05-31 08:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-29 12:54 <DIR> d-------- C:\Documents and Settings\molendad\DoctorWeb
2007-05-29 12:54 <DIR> d-------- C:\DOCUME~1\molendad\DoctorWeb
2007-05-25 14:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-05-25 14:24 <DIR> d-------- C:\Program Files\RegCleaner
2007-05-25 14:09 <DIR> d-------- C:\TEMP\QRemove
2007-05-25 12:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-25 11:50 <DIR> d-------- C:\Documents and Settings\molendad\.housecall6.6
2007-05-25 11:50 <DIR> d-------- C:\DOCUME~1\molendad\.housecall6.6
2007-05-25 10:23 <DIR> d-------- C:\VundoFix Backups
2007-05-25 10:07 3,026 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-25 09:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-24 14:40 <DIR> dr-hs---- C:\cmdcons
2007-05-24 14:40 <DIR> d-------- C:\WINDOWS\setupupd
2007-05-24 14:40 <DIR> d-------- C:\WINDOWS\setup.pss
2007-05-23 15:54 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-23 15:49 <DIR> d-------- C:\WINDOWS\pss
2007-05-23 13:41 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-23 13:41 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-23 13:41 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-23 13:41 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-23 13:41 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-23 13:41 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-23 13:36 57,344 --a------ C:\WINDOWS\system32\igxprd32.dll
2007-05-23 13:36 528,384 --a------ C:\WINDOWS\system32\igfxcfg.exe
2007-05-23 13:36 5,672,032 --a------ C:\WINDOWS\system32\drivers\igxpmp32.sys
2007-05-23 13:36 46,080 --a------ C:\WINDOWS\system32\igfxsrvc.dll
2007-05-23 13:36 450,560 --a------ C:\WINDOWS\system32\igldev32.dll
2007-05-23 13:36 389,120 --a------ C:\WINDOWS\system32\igxpun.exe
2007-05-23 13:36 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2007-05-23 13:36 3,293,184 --a------ C:\WINDOWS\system32\igfxress.dll
2007-05-23 13:36 241,664 --a------ C:\WINDOWS\system32\igfxsrvc.exe
2007-05-23 13:36 24,576 --a------ C:\WINDOWS\system32\igfxexps.dll
2007-05-23 13:36 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-05-23 13:36 204,800 --a------ C:\WINDOWS\system32\igfxdev.dll
2007-05-23 13:36 204,800 --a------ C:\WINDOWS\system32\igfxCoIn_v4764.dll
2007-05-23 13:36 200,704 --a------ C:\WINDOWS\system32\igfxpph.dll
2007-05-23 13:36 2,482,688 --a------ C:\WINDOWS\system32\igxpdx32.dll
2007-05-23 13:36 2,334,720 --a------ C:\WINDOWS\system32\iglicd32.dll
2007-05-23 13:36 163,840 --a------ C:\WINDOWS\system32\igfxzoom.exe
2007-05-23 13:36 163,840 --a------ C:\WINDOWS\system32\igfxext.exe
2007-05-23 13:36 163,840 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-05-23 13:36 149,504 --a------ C:\WINDOWS\system32\igxpgd32.dll
2007-05-23 13:36 135,168 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-05-23 13:36 135,168 --a------ C:\WINDOWS\system32\igfxdo.dll
2007-05-23 13:36 131,072 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-05-23 13:36 102,400 --a------ C:\WINDOWS\system32\hccutils.dll
2007-05-23 13:36 1,563,776 --a------ C:\WINDOWS\system32\igxpdv32.dll
2007-05-23 13:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-23 13:36 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-05-23 13:36 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-05-23 13:36 <DIR> d-------- C:\Intel
2007-05-23 13:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-23 13:11 <DIR> d-------- C:\WINDOWS\LMI54.tmp
2007-05-23 13:10 <DIR> d-------- C:\WINDOWS\LMI45.tmp
2007-05-23 13:05 <DIR> d-------- C:\WINDOWS\LMI33.tmp
2007-05-23 12:25 <DIR> d-------- C:\video
2007-05-23 12:25 <DIR> d-------- C:\swsetup
2007-05-23 12:23 <DIR> d-------- C:\videoswsetup
2007-05-23 12:09 <DIR> d-------- C:\WINDOWS\LMI14.tmp
2007-05-16 18:45 <DIR> d-------- C:\Program Files\psdriver
2007-05-16 18:44 933 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-05-16 18:44 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-16 18:44 192,205 --a------ C:\WINDOWS\minisetup55.exe
2007-05-16 18:00 288,768 --a------ C:\WINDOWS\system32\load.exe
2007-05-16 17:40 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-05-16 17:40 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-05-16 16:22 <DIR> d-------- C:\WINDOWS\LMI46.tmp
2007-05-15 20:14 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\WoltersKluwer


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 00:51:28 -------- d-----w C:\DOCUME~1\molendad\APPLIC~1\AdobeUM
2007-05-23 17:36:14 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-16 21:18:08 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-03-05 17:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-08-22 14:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-25 10:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-27 19:00]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 02:00]
"Smsi"="C:\WINDOWS\System32\ICROSO~1\spoolsv.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PaSystem"="C:\Program Files\pasystem\pasystem.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LockTaskbar"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoStartMenuMyMusic"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)
"Intellimenus"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"ForceClassicControlPanel"=1 (0x1)
"NoWelcomeScreen"=1 (0x1)
"NoAutoUpdate"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"LockTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=addlocaladmins.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30711\Scripts\Logon\0\0]
"Script"=windowsz.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30711\Scripts\Logon\1\0]
"Script"=tuner.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30711\Scripts\Logon\2\0]
"Script"=MAPI-STD.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30711\Scripts\Logon\3\0]
"Script"=windowsz.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30711\Scripts\Logon\4\0]
"Script"=tuner.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30711\Scripts\Logon\5\0]
"Script"=MAPI-STD.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30718\Scripts\Logon\0\0]
"Script"=windowsz.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30718\Scripts\Logon\1\0]
"Script"=tuner.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-30718\Scripts\Logon\2\0]
"Script"=MAPI-STD.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-849160794-1740338019-1307212239-12866\Scripts\Logon\0\0]
"Script"=windowsz.vbs

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 10:30:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-05-31 10:33:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-31 10:32

--- E O F ---

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 31 May 2007 - 10:01 AM

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

****************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smsi"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PaSystem"=-

****************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\load.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\minisetup55.exe
C:\WINDOWS\LMI54.tmp
C:\WINDOWS\LMI45.tmp
C:\WINDOWS\LMI33.tmp
C:\WINDOWS\LMI14.tmp
C:\WINDOWS\LMI46.tmp

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

****************************

Download Winpfind V2.0.2 and extract the contents to your desktop:
http://download.bleepingcomputer.com/oldtimer/winpfind.exe
Open the WinPFind folder and double click on Winpfind.exe
Leave the configuation settings as they are and click on 'Run Scan'.
The scan will take some time to complete so please be patient.
Once complete close the program.
Open the WinPFind folder,then copy and paste the entire content of winpfind.txt into your next reply.

*NOTE*
It may take more than one reply to post the whole winpfind.txt.
Posted Image
Posted Image

#13 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2007 - 10:26 AM

Here are the logs you requested. Thanks again.

smitfraudfix log:

SmitFraudFix v2.189

Scan done at 11:06:05.12, Thu 05/31/2007
Run from C:\Documents and Settings\molendad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}"="COM+ Service"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
DNS Server Search Order: 165.181.71.220
DNS Server Search Order: 165.181.122.52

HKLM\SYSTEM\CCS\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.71.220 165.181.122.52
HKLM\SYSTEM\CS1\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS2\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.71.220 165.181.122.52
HKLM\SYSTEM\CS3\Services\Tcpip\..\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}: DhcpNameServer=165.181.71.220 165.181.122.52
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=165.181.71.220 165.181.122.52
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=165.181.122.52 165.181.60.133
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=165.181.71.220 165.181.122.52
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=165.181.71.220 165.181.122.52


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C}"="COM+ Service"



»»»»»»»»»»»»»»»»»»»»»»»» End


Avenger Log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xuyqgvih

*******************

Script file located at: \??\C:\ycxmfend.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\winpfz32.sys deleted successfully.
File C:\WINDOWS\system32\load.exe deleted successfully.
File C:\WINDOWS\system32\tmp.reg deleted successfully.
File C:\WINDOWS\minisetup55.exe deleted successfully.


Error: C:\WINDOWS\LMI54.tmp is a folder, not a file!
Deletion of file C:\WINDOWS\LMI54.tmp failed!

Could not process line:
C:\WINDOWS\LMI54.tmp
Status: 0xc00000ba



Error: C:\WINDOWS\LMI45.tmp is a folder, not a file!
Deletion of file C:\WINDOWS\LMI45.tmp failed!

Could not process line:
C:\WINDOWS\LMI45.tmp
Status: 0xc00000ba



Error: C:\WINDOWS\LMI33.tmp is a folder, not a file!
Deletion of file C:\WINDOWS\LMI33.tmp failed!

Could not process line:
C:\WINDOWS\LMI33.tmp
Status: 0xc00000ba



Error: C:\WINDOWS\LMI14.tmp is a folder, not a file!
Deletion of file C:\WINDOWS\LMI14.tmp failed!

Could not process line:
C:\WINDOWS\LMI14.tmp
Status: 0xc00000ba



Error: C:\WINDOWS\LMI46.tmp is a folder, not a file!
Deletion of file C:\WINDOWS\LMI46.tmp failed!

Could not process line:
C:\WINDOWS\LMI46.tmp
Status: 0xc00000ba


Completed script processing.

*******************

Finished! Terminate.

Winpfind log:

WinPFind logfile created on: 5/31/2007 11:15:35 AM
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\molendad\Desktop\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 1 | Version: 5.1.2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

503.43 Mb Total Physical Memory | 195.38 Mb Available Physical Memory | 38.81% Memory free
1.20 Gb Paging File | 0.95 Gb Available in Paging File | 79.39% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 30.80 Gb Free Space | 82.66% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 50.28 Gb Total Space | 6.97 Gb Free Space | 13.86% Space Free

Computer Name: DC19WS000008579
Current User Name: david.molenda
NOT logged in as Administrator.
Current Boot Mode: Normal

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Documents and Settings\molendad\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Notes\ntmulti.exe (IBM Corp)
C:\Program Files\CCH\AtHand\Desktop\Bin\Binnacle.exe (Wolters Kluwer)
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
C:\Program Files\Compaq\Compaq Management Agents\Chkadmin.exe (Hewlett-Packard Company)
C:\Program Files\Compaq\Compaq Management Agents\Cpqalert.exe (Hewlett-Packard Company)
C:\Program Files\Compaq\Compaq Management Agents\Cpqdmi.exe (Compaq Computer Corporation)
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe (Intel)
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)
C:\Program Files\RealVNC\WinVNC\winvnc.exe (RealVNC Ltd.)
C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)

(CPQALERT) Insight Local Alerter [Win32_Own | Auto | Running]
= C:\Program Files\Compaq\Compaq Management Agents\Cpqalert.exe (Hewlett-Packard Company)

(cpqdmi) cpqdmi [Win32_Own | Auto | Running]
= C:\Program Files\Compaq\Compaq Management Agents\Cpqdmi.exe (Compaq Computer Corporation)

(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running]
= C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)

(Multi-user Cleanup Service) Multi-user Cleanup Service [Win32_Own | Auto | Running]
= C:\Notes\ntmulti.exe (IBM Corp)

(OracleClientCache80) OracleClientCache80 [Win32_Own | On_Demand | Stopped]
= C:\orant\BIN\ONRSD80.EXE ()

(SavRoam) SavRoam [Win32_Own | Auto | Running]
= C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)

(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)

(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | Auto | Stopped]
= C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)

(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Stopped]
= C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)

(Vmover.exe) Aelita DMW Migration Agent [Win32_Own | On_Demand | Stopped]
= C:\WINDOWS\system32\Vmover.exe (Aelita Software Corporation)

(WIN32SL) WIN32SL [Win32_Own | Auto | Running]
= C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe (Intel)

(winvnc) VNC Server [Win32_Own | Auto | Running]
= C:\Program Files\RealVNC\WinVNC\winvnc.exe (RealVNC Ltd.)

(WKEndpoint) WK Endpoint [Win32_Own | Auto | Stopped]
= C:\program files\marimba\tuner\Tuner.exe (BMC Software, Inc.)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
!AVG Anti-Spyware = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
ChkAdmin = C:\Program Files\Compaq\Compaq Management Agents\Chkadmin.exe (Hewlett-Packard Company)
ISUSScheduler = C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
QuickTime Task = C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
vptray = C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CCH@Hand Desktop Services.lnk
= C:\WINDOWS\Installer\{B696601D-C3F5-4FCB-95BE-25CBE63CB898}\Binnacle_67D3FEFE8E364604B668DE8F667788E9.exe ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

< User Startup Folder = C:\Documents and Settings\molendad\Start Menu\Programs\Startup >
C:\Documents and Settings\molendad\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 0
win.ini = 0
bootini = 0
services = 0
startup = 0

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = AVG Anti-Spyware 7.5 ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} = COM+ Service ( HKLM = Reg Data - Key not found (File not found) )

>>>>> Winlogon Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
DllName = C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
DllName = C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 27 bytes | Modified Date: 5/31/2007 11:06:08 AM)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Local Page = C:\windows\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Local Page = C:\windows\system32\blank.htm
Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 1
ProxyOverride = *cch.com;*.cchgroup.com;<local>

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- AcroIEHlprObj Class ( HKLM = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
- Reg Data - Value does not exist ( HKLM = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKCU Internet Explorer Bars <<<<<

>>>>> HKLM Internet Explorer ToolBars <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio ( HKLM = C:\WINDOWS\system32\msdxm.ocx () )

>>>>> HKCU Internet Explorer ToolBars <<<<<

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8192 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{85d1f590-48f4-11d9-9669-0800200c9a66} = 8195 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8196

>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - Java Plug-in 1.5.0 ( HKLM C:\Program Files\Java\jre1.5.0\bin\NPJPI150.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}]
ButtonText = Research

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@ = 000 (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Search highlighted text on &IRN]
@ = C:\Program Files\CCH\AtHand\Desktop\Bin\SearchIRN.htm ()

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = VpshellEx Class ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )
{E0D79304-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{E0D79305-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{E0D79306-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{E0D79307-84BE-11CE-9641-444553540000} = WinZip ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = RealOne Player Context Menu Class ( HKLM = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.) )

>>>>> HKCU Approved Shell Extensions <<<<<

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\LDVPMenu]
@ = {BDA77241-42F6-11d0-85E2-00AA001FE28C} ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinZip]
@ = {E0D79304-84BE-11CE-9641-444553540000} ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip]
@ = {E0D79304-84BE-11CE-9641-444553540000} ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\igfxcui]
@ = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} ( HKLM = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu]
@ = {BDA77241-42F6-11d0-85E2-00AA001FE28C} ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinZip]
@ = {E0D79304-84BE-11CE-9641-444553540000} ( HKLM = C:\Program Files\Winzip\WZSHLSTB.DLL (WinZip Computing, Inc.) )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption = WARNING NOTICE
legalnoticetext = This system is restricted solely to Wolters Kluwer users for legitimate business only. The actual or attempted, unauthorized access,use or modification of this system is strictly prohibited by Wolters Kluwer. All data contained on this computer and network may be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized personnel. THERE IS NO RIGHT TO PRIVACY ON THIS SYSTEM.
System personnel may give to law enforcement officials any potential evidence of crime found on this computer system. Use of this system by any user, authorized or not, constitutes consent to this monitoring, interception, recording, reading, copying, or capturing and disclosure. Unauthorized users are subject to Company disciplinary actions up to and including termination.
shutdownwithoutlogon = 1
undockwithoutlogon = 1
disablecad = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
NoCloseDragDropBands = 0
NoMovingBands = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145
LockTaskbar = 0
NoWindowsUpdate = 0
NoStartMenuMyMusic = 1
ForceStartMenuLogOff = 1
Intellimenus = 1
NoDesktopCleanupWizard = 1
ForceClassicControlPanel = 1
NoWelcomeScreen = 1
NoAutoUpdate = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
DisableRegistryTools = 0

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]*

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\system32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
C:\orant\bin
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\Bin
C:\WINDOWS\system32
C:\WINDOWS
C:\WINDOWS\System32\Wbem

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\System32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)
htmlfile [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)

https [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL "%l" (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%programfiles%\internet explorer\iexplore.exe" (File not found)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{67D37C53-3DD5-4199-837F-5D0CB35A4DAF}] ( Broadcom NetXtreme Gigabit Ethernet )
DefaultGateway =
DhcpDefaultGateway = 165.181.71.254;
DhcpIPAddress = 165.181.71.207
DhcpNameServer = 165.181.122.52 165.181.60.133
DhcpServer = 165.181.122.52
DhcpSubnetMask = 255.255.255.192
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - 1 = Local intranet
file - 3 = Internet
ftp - 3 = Internet
http - 3 = Internet
https - 3 = Internet
shell - 0 = My Computer

>>>>> Protocol Handlers <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\vnd.ms.radio]
CLSID = {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - ( HKLM = C:\WINDOWS\system32\msdxm.ocx () )

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}\DownloadInformation]
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813
INF = C:\WINDOWS\Downloaded Program Files\OGAControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
INF = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{215B8138-A3CF-44C5-803F-8226143CFC0A}\DownloadInformation]
CODEBASE = http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
INF = C:\WINDOWS\Downloaded Program Files\hcImpl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{238F6F83-B8B4-11CF-8771-00A024541EE3}\DownloadInformation]
CODEBASE = http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
INF = C:\WINDOWS\Downloaded Program Files\wficat.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}\DownloadInformation]
CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
INF = C:\WINDOWS\Downloaded Program Files\avsniff.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71}\DownloadInformation]
CODEBASE = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab
INF = C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{56336BCB-3D8A-11D6-A00B-0050DA18DE71}\DownloadInformation]
CODEBASE = http://software-dl.real.com/27f2a2fbcf9d92...ip/RdxIE601.cab

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}\DownloadInformation]
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab
INF = C:\WINDOWS\Downloaded Program Files\oscan8.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\DownloadInformation]
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1122398466057
INF = C:\WINDOWS\Downloaded Program Files\wuweb.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{644E432F-49D3-41A1-8DD5-E099162EEEC5}\DownloadInformation]
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
INF = C:\WINDOWS\Downloaded Program Files\CabSA.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\DownloadInformation]
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
INF = C:\WINDOWS\Downloaded Program Files\asinst.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9B57C630-AA6E-440D-8D44-D34542E5531A}\DownloadInformation]
CODEBASE = https://www323.livemeeting.com/etc/static/W...MailObjects.cab

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C7DB51B4-BCF7-4923-8874-7F1A0DC92277}\DownloadInformation]
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc4.cab
INF = C:\WINDOWS\Downloaded Program Files\opuc.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
INF =

»»»»»»»»»»»»»»»»»»»» Files / Folders Created Within 30 Days »»»»»»»»»»»»»

C:\avenger [Folder | Created Date = 5/31/2007 10:13:22 AM | Attr = ]
C:\BOOT.BAK [Ver = | Size = 194 bytes | Created Date = 5/24/2007 1:40:59 PM | Attr = HS]
C:\cmdcons [Folder | Created Date = 5/24/2007 1:40:40 PM | Attr = RHS]
C:\ENTEGRIS.doc [Ver = | Size = 79360 bytes | Created Date = 5/24/2007 5:10:36 PM | Attr = ]
C:\Intel [Folder | Created Date = 5/23/2007 12:36:43 PM | Attr = ]
C:\QooBox [Folder | Created Date = 5/31/2007 9:24:25 AM | Attr = ]
C:\swsetup [Folder | Created Date = 5/23/2007 11:25:55 AM | Attr = ]
C:\video [Folder | Created Date = 5/23/2007 11:25:26 AM | Attr = ]
C:\videoswsetup [Folder | Created Date = 5/23/2007 11:23:55 AM | Attr = ]
C:\VundoFix Backups [Folder | Created Date = 5/25/2007 9:23:47 AM | Attr = ]
C:\_OTMoveIt [Folder | Created Date = 5/31/2007 7:48:42 AM | Attr = ]
C:\~$sterFile.doc [Ver = | Size = 162 bytes | Created Date = 5/16/2007 1:57:27 PM | Attr = H ]
C:\~$sterPrimer.doc [Ver = | Size = 162 bytes | Created Date = 5/16/2007 11:50:51 AM | Attr = H ]
C:\~$TEGRIS.doc [Ver = | Size = 162 bytes | Created Date = 5/24/2007 5:10:37 PM | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [Folder | Created Date = 5/23/2007 12:27:35 PM | Attr = ]
C:\Documents and Settings\molendad\Application Data\.rdr.ini [Ver = | Size = 16 bytes | Created Date = 5/16/2007 5:43:20 PM | Attr = ]
C:\Documents and Settings\molendad\Local Settings\Application Data\Identities [Folder | Created Date = 5/16/2007 5:47:35 PM | Attr = ]
C:\Documents and Settings\molendad\My Documents\My eBooks [Folder | Created Date = 5/29/2007 7:51:20 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\AVG Anti-Spyware.lnk [Ver = | Size = 849 bytes | Created Date = 5/31/2007 7:58:44 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\avgas-setup-7.5.0.50.exe [Ver = | Size = 11470608 bytes | Created Date = 5/31/2007 7:58:13 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\backups [Folder | Created Date = 5/25/2007 9:05:12 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\bitdefenderlog.html [Ver = | Size = 18957 bytes | Created Date = 5/29/2007 11:49:26 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\ComboFix.exe [Ver = | Size = 1088077 bytes | Created Date = 5/31/2007 9:22:08 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\cureit.exe [Ver = | Size = 6428032 bytes | Created Date = 5/29/2007 11:53:49 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\fix.reg [Ver = | Size = 170 bytes | Created Date = 5/31/2007 10:09:18 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\HiJackThis_v2.exe Trend Micro Inc. [Ver = 2.00 | Size = 1308216 bytes | Created Date = 5/25/2007 9:03:35 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\OTMoveIt.exe OldTimer Tools [Ver = 1.0.12.0 | Size = 210432 bytes | Created Date = 5/31/2007 7:48:21 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\pqremove.com [Ver = | Size = 5180928 bytes | Created Date = 5/25/2007 1:08:55 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\RegCleaner.lnk [Ver = | Size = 645 bytes | Created Date = 5/25/2007 1:24:43 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\shell.doc [Ver = | Size = 26624 bytes | Created Date = 5/23/2007 11:58:53 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\Shortcut to HijackThis.exe.lnk [Ver = | Size = 642 bytes | Created Date = 5/29/2007 9:44:38 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\SmitfraudFix [Folder | Created Date = 5/31/2007 8:40:27 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\SmitfraudFix.exe [Ver = | Size = 878323 bytes | Created Date = 5/31/2007 8:40:25 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\Spybot - Search & Destroy.lnk [Ver = | Size = 933 bytes | Created Date = 5/23/2007 12:27:36 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\temp.tpk [Ver = | Size = 417 bytes | Created Date = 5/16/2007 1:02:39 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\WinPFind [Folder | Created Date = 5/31/2007 10:15:15 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Created Date = 5/31/2007 10:15:07 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\~$shell.doc [Ver = | Size = 162 bytes | Created Date = 5/23/2007 11:58:55 AM | Attr = H ]
C:\WINDOWS\BDOSCAN8 [Folder | Created Date = 5/25/2007 11:35:00 AM | Attr = ]
C:\WINDOWS\catchme.exe [Ver = | Size = 87040 bytes | Created Date = 5/31/2007 9:33:11 AM | Attr = ]
C:\WINDOWS\erdnt [Folder | Created Date = 5/31/2007 9:24:45 AM | Attr = ]
C:\WINDOWS\LMI14.tmp [Folder | Created Date = 5/23/2007 11:09:46 AM | Attr = ]
C:\WINDOWS\LMI33.tmp [Folder | Created Date = 5/23/2007 12:05:44 PM | Attr = ]
C:\WINDOWS\LMI45.tmp [Folder | Created Date = 5/23/2007 12:10:17 PM | Attr = ]
C:\WINDOWS\LMI46.tmp [Folder | Created Date = 5/16/2007 3:22:45 PM | Attr = ]
C:\WINDOWS\LMI54.tmp [Folder | Created Date = 5/23/2007 12:11:20 PM | Attr = ]
C:\WINDOWS\Minidump [Folder | Created Date = 5/16/2007 3:02:46 PM | Attr = ]
C:\WINDOWS\nircmd.exe NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 5/31/2007 9:33:11 AM | Attr = ]
C:\WINDOWS\pss [Folder | Created Date = 5/23/2007 2:49:56 PM | Attr = ]
C:\WINDOWS\setup.pss [Folder | Created Date = 5/24/2007 1:40:39 PM | Attr = ]
C:\WINDOWS\setupupd [Folder | Created Date = 5/24/2007 1:40:16 PM | Attr = ]
C:\WINDOWS\TEMP [Folder | Created Date = 5/31/2007 9:34:06 AM | Attr = ]
C:\WINDOWS\System32\ActiveScan [Folder | Created Date = 5/25/2007 8:06:35 AM | Attr = ]
C:\WINDOWS\System32\asuninst.exe Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 5/25/2007 8:07:05 AM | Attr = ]
C:\WINDOWS\System32\DRVSTORE [Folder | Created Date = 5/23/2007 12:36:52 PM | Attr = ]
C:\WINDOWS\System32\dumphive.exe [Ver = | Size = 51200 bytes | Created Date = 5/31/2007 10:05:42 AM | Attr = ]
C:\WINDOWS\System32\hccutils.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 102400 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\Help.ico [Ver = | Size = 1406 bytes | Created Date = 5/25/2007 8:06:41 AM | Attr = ]
C:\WINDOWS\System32\hkcmd.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 163840 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxcfg.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 528384 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxCoIn_v4764.dll [Ver = | Size = 204800 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxcpl.cpl Intel Corporation [Ver = 6.14.10.4764 | Size = 122880 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxdev.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 204800 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxdo.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 135168 bytes | Created Date = 5/23/2007 12:36:55 PM | Attr = ]
C:\WINDOWS\System32\igfxexps.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 24576 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxext.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 163840 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxpers.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 135168 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxpph.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 200704 bytes | Created Date = 5/23/2007 12:36:55 PM | Attr = ]
C:\WINDOWS\System32\igfxrara.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 159744 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrchs.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 110592 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrcht.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 110592 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrcsy.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 176128 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrdan.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrdeu.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 192512 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrell.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 192512 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrenu.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxres.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 2:54:07 PM | Attr = ]
C:\WINDOWS\System32\igfxresp.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 188416 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxress.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 3293184 bytes | Created Date = 5/23/2007 12:36:55 PM | Attr = ]
C:\WINDOWS\System32\igfxrfin.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 176128 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrfra.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 184320 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrheb.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 155648 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrhun.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 180224 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrita.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 188416 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrjpn.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 131072 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrkor.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 126976 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrnld.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 188416 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrnor.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrplk.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 176128 bytes | Created Date = 5/23/2007 12:36:55 PM | Attr = ]
C:\WINDOWS\System32\igfxrptb.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 180224 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrptg.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 180224 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrrus.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 180224 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrsky.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 176128 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrslv.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrsve.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrtha.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 163840 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxrtrk.lrc Intel Corporation [Ver = 6.14.10.4764 | Size = 172032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxsrvc.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 46080 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxsrvc.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 241664 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxtray.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 131072 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igfxzoom.exe Intel Corporation [Ver = 6.14.10.4764 | Size = 163840 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igldev32.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 450560 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\iglicd32.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 2334720 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igxpdv32.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 1563776 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igxpdx32.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 2482688 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igxpgd32.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 149504 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igxprd32.dll Intel Corporation [Ver = 6.14.10.4764 | Size = 57344 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igxpun.exe Intel® Corporation [Ver = 1, 0, 34, 0 | Size = 389120 bytes | Created Date = 5/23/2007 12:36:51 PM | Attr = ]
C:\WINDOWS\System32\igxpxk32.vp [Ver = | Size = 2096 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\igxpxs32.vp [Ver = | Size = 24784 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\IScrNB.bmp [Ver = | Size = 121232 bytes | Created Date = 5/23/2007 12:36:51 PM | Attr = ]
C:\WINDOWS\System32\IScrNBR.bmp [Ver = | Size = 121232 bytes | Created Date = 5/23/2007 12:36:51 PM | Attr = ]
C:\WINDOWS\System32\jvoigfxa.ini [Ver = | Size = 995634 bytes | Created Date = 5/25/2007 8:33:12 AM | Attr = HS]
C:\WINDOWS\System32\Lang [Folder | Created Date = 5/23/2007 12:36:51 PM | Attr = ]
C:\WINDOWS\System32\libeay32.dll The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8e | Size = 1040384 bytes | Created Date = 5/16/2007 4:40:12 PM | Attr = ]
C:\WINDOWS\System32\mcrh.tmp [Ver = | Size = 0 bytes | Created Date = 5/16/2007 4:23:56 PM | Attr = ]
C:\WINDOWS\System32\moveex.exe [Ver = | Size = 38400 bytes | Created Date = 5/31/2007 9:33:11 AM | Attr = ]
C:\WINDOWS\System32\NVUNINST.EXE NVIDIA Corporation [Ver = 1 , 0 , 1 , 53 | Size = 208896 bytes | Created Date = 5/23/2007 12:36:03 PM | Attr = ]
C:\WINDOWS\System32\pavas.ico [Ver = | Size = 30590 bytes | Created Date = 5/25/2007 8:06:40 AM | Attr = ]
C:\WINDOWS\System32\Process.exe http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 5/31/2007 10:05:42 AM | Attr = ]
C:\WINDOWS\System32\ReinstallBackups [Folder | Created Date = 5/23/2007 12:36:59 PM | Attr = ]
C:\WINDOWS\System32\SrchSTS.exe S!Ri [Ver = | Size = 288417 bytes | Created Date = 5/31/2007 10:05:42 AM | Attr = ]
C:\WINDOWS\System32\ssleay32.dll The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8e | Size = 196608 bytes | Created Date = 5/16/2007 4:40:08 PM | Attr = ]
C:\WINDOWS\System32\swreg.exe SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 5/31/2007 9:33:11 AM | Attr = ]
C:\WINDOWS\System32\swsc.exe SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 5/31/2007 9:33:10 AM | Attr = ]
C:\WINDOWS\System32\swxcacls.exe SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 5/31/2007 9:33:10 AM | Attr = ]
C:\WINDOWS\System32\temp.tpk [Ver = | Size = 321 bytes | Created Date = 5/16/2007 1:10:31 PM | Attr = ]
C:\WINDOWS\System32\Uninstall.ico [Ver = | Size = 2550 bytes | Created Date = 5/25/2007 8:06:41 AM | Attr = ]
C:\WINDOWS\System32\vfind.exe [Ver = | Size = 49152 bytes | Created Date = 5/31/2007 9:33:11 AM | Attr = ]
C:\WINDOWS\System32\ZPORT4AS.dll [Ver = | Size = 11776 bytes | Created Date = 5/25/2007 8:07:05 AM | Attr = ]
C:\WINDOWS\System32\drivers\AvgAsCln.sys GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 5/31/2007 7:58:43 AM | Attr = ]
C:\WINDOWS\System32\drivers\igxpmp32.sys Intel Corporation [Ver = 6.14.10.4764 | Size = 5672032 bytes | Created Date = 5/23/2007 12:36:56 PM | Attr = ]
C:\WINDOWS\System32\drivers\tmcomm.sys Trend Micro Inc. [Ver = 1.5.0.1052 | Size = 76560 bytes | Created Date = 5/25/2007 1:43:50 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files / Folders Modified Within 30 Days »»»»»»»»»»»»»

C:\avenger [Folder | Modified Date = 5/31/2007 11:13:24 AM | Attr = ]
C:\BOOT.BAK [Ver = | Size = 194 bytes | Modified Date = 5/23/2007 5:43:24 PM | Attr = HS]
C:\boot.ini [Ver = | Size = 265 bytes | Modified Date = 5/25/2007 11:46:30 AM | Attr = RHS]
C:\cmdcons [Folder | Modified Date = 5/24/2007 2:41:00 PM | Attr = RHS]
C:\Documents and Settings [Folder | Modified Date = 5/23/2007 1:34:52 PM | Attr = ]
C:\ENTEGRIS.doc [Ver = | Size = 79360 bytes | Modified Date = 5/24/2007 6:10:38 PM | Attr = ]
C:\GSIorders [Folder | Modified Date = 5/14/2007 12:46:02 PM | Attr = ]
C:\Intel [Folder | Modified Date = 5/23/2007 1:36:44 PM | Attr = ]
C:\Materials [Folder | Modified Date = 5/29/2007 7:29:50 PM | Attr = ]
C:\PAM [Folder | Modified Date = 5/9/2007 2:14:52 PM | Attr = ]
C:\Program Files [Folder | Modified Date = 5/31/2007 10:24:30 AM | Attr = ]
C:\QooBox [Folder | Modified Date = 5/31/2007 10:24:26 AM | Attr = ]
C:\swsetup [Folder | Modified Date = 5/23/2007 1:35:24 PM | Attr = ]
C:\System Volume Information [Folder | Modified Date = 5/24/2007 2:32:48 PM | Attr = HS]
C:\TEMP [Folder | Modified Date = 5/31/2007 10:26:24 AM | Attr = ]
C:\video [Folder | Modified Date = 5/23/2007 12:25:28 PM | Attr = ]
C:\videoswsetup [Folder | Modified Date = 5/23/2007 12:23:56 PM | Attr = ]
C:\VundoFix Backups [Folder | Modified Date = 5/25/2007 10:23:48 AM | Attr = ]
C:\WINDOWS [Folder | Modified Date = 5/31/2007 11:13:50 AM | Attr = ]
C:\_OTMoveIt [Folder | Modified Date = 5/31/2007 8:48:44 AM | Attr = ]
C:\~$sterFile.doc [Ver = | Size = 162 bytes | Modified Date = 5/16/2007 2:57:28 PM | Attr = H ]
C:\~$sterPrimer.doc [Ver = | Size = 162 bytes | Modified Date = 5/16/2007 12:50:52 PM | Attr = H ]
C:\~$TEGRIS.doc [Ver = | Size = 162 bytes | Modified Date = 5/24/2007 6:10:38 PM | Attr = H ]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [Folder | Modified Date = 5/23/2007 1:52:22 PM | Attr = ]
C:\Documents and Settings\molendad\Application Data\.rdr.ini [Ver = | Size = 16 bytes | Modified Date = 5/16/2007 6:43:22 PM | Attr = ]
C:\Documents and Settings\molendad\Application Data\AdobeUM [Folder | Modified Date = 5/29/2007 8:51:30 PM | Attr = ]
C:\Documents and Settings\molendad\Application Data\Microsoft [Folder | Modified Date = 5/16/2007 4:25:28 PM | Attr = S]
C:\Documents and Settings\molendad\Local Settings\Application Data\ApplicationHistory [Folder | Modified Date = 5/31/2007 11:13:50 AM | Attr = ]
C:\Documents and Settings\molendad\Local Settings\Application Data\IconCache.db [Ver = | Size = 3712656 bytes | Modified Date = 5/31/2007 11:11:22 AM | Attr = H ]
C:\Documents and Settings\molendad\Local Settings\Application Data\Identities [Folder | Modified Date = 5/16/2007 6:47:36 PM | Attr = ]
C:\Documents and Settings\molendad\My Documents\My eBooks [Folder | Modified Date = 5/29/2007 8:51:22 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\AVG Anti-Spyware.lnk [Ver = | Size = 849 bytes | Modified Date = 5/31/2007 8:58:46 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\avgas-setup-7.5.0.50.exe [Ver = | Size = 11470608 bytes | Modified Date = 5/31/2007 8:58:14 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\backups [Folder | Modified Date = 5/25/2007 10:05:14 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\bitdefenderlog.html [Ver = | Size = 18957 bytes | Modified Date = 5/29/2007 12:43:38 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\ComboFix.exe [Ver = | Size = 1088077 bytes | Modified Date = 5/31/2007 10:22:22 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\cureit.exe [Ver = | Size = 6428032 bytes | Modified Date = 5/29/2007 12:53:50 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\fix.reg [Ver = | Size = 170 bytes | Modified Date = 5/31/2007 11:09:20 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\HiJackThis_v2.exe Trend Micro Inc. [Ver = 2.00 | Size = 1308216 bytes | Modified Date = 5/25/2007 10:03:36 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\OTMoveIt.exe OldTimer Tools [Ver = 1.0.12.0 | Size = 210432 bytes | Modified Date = 5/31/2007 8:48:22 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\pqremove.com [Ver = | Size = 5180928 bytes | Modified Date = 5/25/2007 2:08:56 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\RegCleaner.lnk [Ver = | Size = 645 bytes | Modified Date = 5/25/2007 2:24:46 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\shell.doc [Ver = | Size = 26624 bytes | Modified Date = 5/23/2007 12:58:56 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\Shortcut to HijackThis.exe.lnk [Ver = | Size = 642 bytes | Modified Date = 5/29/2007 10:44:40 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\SmitfraudFix [Folder | Modified Date = 5/31/2007 11:06:30 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\SmitfraudFix.exe [Ver = | Size = 878323 bytes | Modified Date = 5/31/2007 9:40:26 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\Spybot - Search & Destroy.lnk [Ver = | Size = 933 bytes | Modified Date = 5/23/2007 1:27:38 PM | Attr = ]
C:\Documents and Settings\molendad\Desktop\temp.tpk [Ver = | Size = 417 bytes | Modified Date = 5/23/2007 11:53:58 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\WinPFind [Folder | Modified Date = 5/31/2007 11:15:16 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\winpfind.exe [Ver = | Size = 267222 bytes | Modified Date = 5/31/2007 11:15:08 AM | Attr = ]
C:\Documents and Settings\molendad\Desktop\WSB Order Entry 2003 v1.9G.mdb [Ver = | Size = 8728576 bytes | Modified Date = 5/30/2007 8:29:42 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\molendad\Desktop\WSB Order Entry 2003 v1.9G.mdb:SummaryInformation (88 bytes)
@Alternate Data Stream - C:\Documents and Settings\molendad\Desktop\WSB Order Entry 2003 v1.9G.mdb:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\molendad\Desktop\~$shell.doc [Ver = | Size = 162 bytes | Modified Date = 5/23/2007 12:58:56 PM | Attr = H ]
C:\Program Files\Common Files\InstallShield [Folder | Modified Date = 5/23/2007 1:36:16 PM | Attr = ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CCH@Hand Desktop Services.lnk [Ver = | Size = 2411 bytes | Modified Date = 5/31/2007 11:13:04 AM | Attr = ]
C:\WINDOWS\$NtUninstallKB828035$ [Folder | Modified Date = 5/25/2007 9:33:08 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB828741$ [Folder | Modified Date = 5/25/2007 9:33:12 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB829558$ [Folder | Modified Date = 5/25/2007 9:33:16 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB835732$ [Folder | Modified Date = 5/25/2007 9:33:20 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB837001$ [Folder | Modified Date = 5/25/2007 9:33:24 AM | Attr = H ]
C:\WINDOWS\BDOSCAN8 [Folder | Modified Date = 5/29/2007 12:00:10 PM | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 5/31/2007 11:12:20 AM | Attr = S]
C:\WINDOWS\catchme.exe [Ver = | Size = 87040 bytes | Modified Date = 5/28/2007 4:23:12 AM | Attr = ]
C:\WINDOWS\Debug [Folder | Modified Date = 5/31/2007 11:12:26 AM | Attr = ]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 5/31/2007 9:14:02 AM | Attr = S]
C:\WINDOWS\erdnt [Folder | Modified Date = 5/31/2007 10:24:46 AM | Attr = ]
C:\WINDOWS\Help [Folder | Modified Date = 5/23/2007 1:41:36 PM | Attr = ]
C:\WINDOWS\hpbafd.ini [Ver = | Size = 574 bytes | Modified Date = 5/30/2007 8:40:52 PM | Attr = ]
C:\WINDOWS\ime [Folder | Modified Date = 5/25/2007 2:10:04 PM | Attr = ]
C:\WINDOWS\inf [Folder | Modified Date = 5/25/2007 12:35:02 PM | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 5/30/2007 11:43:58 AM | Attr = HS]
C:\WINDOWS\LMI14.tmp [Folder | Modified Date = 5/23/2007 4:09:58 PM | Attr = ]
C:\WINDOWS\LMI33.tmp [Folder | Modified Date = 5/23/2007 4:09:58 PM | Attr = ]
C:\WINDOWS\LMI45.tmp [Folder | Modified Date = 5/23/2007 1:10:22 PM | Attr = ]
C:\WINDOWS\LMI46.tmp [Folder | Modified Date = 5/16/2007 4:23:30 PM | Attr = ]
C:\WINDOWS\LMI54.tmp [Folder | Modified Date = 5/23/2007 1:11:26 PM | Attr = ]
C:\WINDOWS\Minidump [Folder | Modified Date = 5/29/2007 5:02:12 PM | Attr = ]
C:\WINDOWS\Prefetch [Folder | Modified Date = 5/31/2007 10:33:12 AM | Attr = ]
C:\WINDOWS\pss [Folder | Modified Date = 5/25/2007 11:46:30 AM | Attr = ]
C:\WINDOWS\Registration [Folder | Modified Date = 5/25/2007 3:03:00 PM | Attr = ]
C:\WINDOWS\security [Folder | Modified Date = 5/31/2007 12:50:08 AM | Attr = ]
C:\WINDOWS\setup.pss [Folder | Modified Date = 5/24/2007 2:40:40 PM | Attr = ]
C:\WINDOWS\setupupd [Folder | Modified Date = 5/24/2007 2:40:32 PM | Attr = ]
C:\WINDOWS\SoftwareDistribution [Folder | Modified Date = 5/23/2007 4:11:26 PM | Attr = ]
C:\WINDOWS\system.ini [Ver = | Size = 227 bytes | Modified Date = 5/25/2007 11:46:30 AM | Attr = ]
C:\WINDOWS\system32 [Folder | Modified Date = 5/31/2007 11:11:44 AM | Attr = ]
C:\WINDOWS\Tasks [Folder | Modified Date = 5/31/2007 10:24:44 AM | Attr = S]
C:\WINDOWS\TEMP [Folder | Modified Date = 5/31/2007 11:13:28 AM | Attr = ]
C:\WINDOWS\Web [Folder | Modified Date = 5/23/2007 1:51:10 PM | Attr = R ]
C:\WINDOWS\win.ini [Ver = | Size = 627 bytes | Modified Date = 5/25/2007 11:46:30 AM | Attr = ]
C:\WINDOWS\System32\ActiveScan [Folder | Modified Date = 5/25/2007 2:09:58 PM | Attr = ]
C:\WINDOWS\System32\appmgmt [Folder | Modified Date = 5/23/2007 12:30:02 PM | Attr = ]
C:\WINDOWS\System32\CatRoot [Folder | Modified Date = 5/23/2007 1:43:06 PM | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 5/25/2007 12:37:00 PM | Attr = ]
C:\WINDOWS\System32\CCM [Folder | Modified Date = 5/25/2007 9:10:56 AM | Attr = ]
C:\WINDOWS\System32\config [Folder | Modified Date = 5/31/2007 10:24:52 AM | Attr = ]
C:\WINDOWS\System32\dllcache [Folder | Modified Date = 5/16/2007 5:37:52 PM | Attr = RHS]
C:\WINDOWS\System32\drivers [Folder | Modified Date = 5/31/2007 11:13:26 AM | Attr = ]
C:\WINDOWS\System32\DRVSTORE [Folder | Modified Date = 5/23/2007 1:36:56 PM | Attr = ]
C:\WINDOWS\System32\Help.ico [Ver = | Size = 1406 bytes | Modified Date = 5/25/2007 1:53:02 PM | Attr = ]
C:\WINDOWS\System32\jvoigfxa.ini [Ver = | Size = 995634 bytes | Modified Date = 5/25/2007 9:33:24 AM | Attr = HS]
C:\WINDOWS\System32\Lang [Folder | Modified Date = 5/23/2007 1:36:52 PM | Attr = ]
C:\WINDOWS\System32\libeay32.dll The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8e | Size = 1040384 bytes | Modified Date = 5/16/2007 5:40:14 PM | Attr = ]
C:\WINDOWS\System32\mcrh.tmp [Ver = | Size = 0 bytes | Modified Date = 5/16/2007 5:34:52 PM | Attr = ]
C:\WINDOWS\System32\pavas.ico [Ver = | Size = 30590 bytes | Modified Date = 5/25/2007 1:53:02 PM | Attr = ]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 63380 bytes | Modified Date = 5/31/2007 10:27:28 AM | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 404432 bytes | Modified Date = 5/31/2007 10:27:28 AM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 476200 bytes | Modified Date = 5/31/2007 10:27:28 AM | Attr = ]
C:\WINDOWS\System32\ReinstallBackups [Folder | Modified Date = 5/23/2007 1:37:32 PM | Attr = ]
C:\WINDOWS\System32\Restore [Folder | Modified Date = 5/24/2007 2:32:48 PM | Attr = ]
C:\WINDOWS\System32\ssleay32.dll The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8e | Size = 196608 bytes | Modified Date = 5/16/2007 5:40:10 PM | Attr = ]
C:\WINDOWS\System32\temp.tpk [Ver = | Size = 321 bytes | Modified Date = 5/16/2007 4:57:56 PM | Attr = ]
C:\WINDOWS\System32\Uninstall.ico [Ver = | Size = 2550 bytes | Modified Date = 5/25/2007 1:53:02 PM | Attr = ]
C:\WINDOWS\System32\wbem [Folder | Modified Date = 5/25/2007 3:06:36 PM | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2206 bytes | Modified Date = 5/31/2007 8:45:26 AM | Attr = ]
C:\WINDOWS\System32\drivers\etc [Folder | Modified Date = 5/31/2007 10:30:54 AM | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
[UPX! , UPX0 , ]C:\Documents and Settings\molendad\Desktop\ComboFix.exe ()
[PEC2 , PECompact2 , ]C:\Documents and Settings\molendad\Desktop\OTMoveIt.exe (OldTimer Tools)
[Thawte Consulting , ]C:\Documents and Settings\molendad\Desktop\pwsnapshot-installer.exe ()
@Alternate Data Stream - C:\Documents and Settings\molendad\Desktop\WSB Order Entry 2003 v1.9G.mdb:SummaryInformation (88 bytes)
@Alternate Data Stream - C:\Documents and Settings\molendad\Desktop\WSB Order Entry 2003 v1.9G.mdb:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
[PECompact2 , qoologic , SAHAgent , ]C:\WINDOWS\lpt$vpn.745 ()
@Alternate Data Stream - C:\WINDOWS\Thumbs.db:encryptable (0 bytes)
[UPX! , UPX0 , ]C:\WINDOWS\tsc.exe (Trend Micro Inc.)
[PECompact2 , qoologic , SAHAgent , ]C:\WINDOWS\VPTNFILE.745 ()
[aspack , UPX! , ]C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
[UPX! , UPX0 , ]C:\WINDOWS\System32\AUTOITX.DLL (HiddenSoft)
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[PTech , ]C:\WINDOWS\System32\LegitCheckControl.DLL (Microsoft® Corporation)
[UPX! , UPX0 , ]C:\WINDOWS\System32\SrchSTS.exe (S!Ri)
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()

< End of report >

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 31 May 2007 - 10:46 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fixit.reg to your desktop.
Then double click on the fixit.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
{3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} =-


Restart your pc.
Post a new Hijackthis log in your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image

#15 nultylynch

nultylynch
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 31 May 2007 - 11:04 AM

Well, the reboot took about 1/4 of the time that it has been taking (on both ends, the shut down and the restart). Furthermore, SpyBot says that SmitFraud is gone!! :thumbsup: Thanks so much. Hopefully there's nothing lurking in this latest log. Thanks again.

Here's the new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:47:11 AM, on 5/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CCH\AtHand\Desktop\Bin\Binnacle.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cscript.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://rivproxy.cch.com:80/array.dll?Get.Routing.Script
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rivproxy.cch.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *cch.com;*.cchgroup.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: CCH@Hand Desktop Services.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search highlighted text on &IRN - file:///C:\Program Files\cch\athand\desktop\bin\SearchIRN.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://inview.cch.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/27f2a2fbcf9d92...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122398466057
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B57C630-AA6E-440D-8D44-D34542E5531A} (SendMail Class) - https://www323.livemeeting.com/etc/static/W...MailObjects.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\Software\..\Telephony: DomainName = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = na.wkglobal.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cch.com,na.wkglobal.com,aspenpubl.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Notes\ntmulti.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WK Endpoint (WKEndpoint) - BMC Software, Inc. - C:\program files\marimba\tuner\Tuner.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users