Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojandownloader.xs :( [RESOLVED]


  • This topic is locked This topic is locked

#1
memmsy

memmsy

    Member

  • Member
  • PipPip
  • 19 posts
Hello, I seem to have trojandownloader.xs it is manifesting itself by regular popups, 1 red telling me I have abebot and trying to direct me to adverts for anti spyware software and one blue window telling me i have trojandownloader.xs and directing me to the same website for antispyware software. I am also getting the little yellow triangle in my bottom right toolbar which when clicked sends me to the same website. Lap top is sluggish.

I have performed....

AVG scan
SPybot Search and Destroy
Trend Micro Scans


All have identified tracking cookies and various bits and bobs. After deletion of these I am still getting all above popups.

I have done a hijack this log see below

Please can you help me? I'm afraid this is all a bit complicated for me! (although the help on your preparation page was really useful)

Thanks in advance

Emma

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:04, on 31/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\AU772C.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\dqbfxwug.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\MSPUB.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\SeUpdateDb.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F3 - REG:win.ini: run=""
O2 - BHO: (no name) - {050AA93A-824E-F9C1-E8DF-00A823677C3C} - C:\WINDOWS\system32\xmecaqxv.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06DBE7F4-86FA-E99B-33A0-040603AB8893} - C:\WINDOWS\system32\mvgnbhyx.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60E33FEA-6A34-0D3A-1838-07E6A850F864} - C:\WINDOWS\system32\fomefhfr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ebnssatq] C:\WINDOWS\system32\ebnssatq.exe
O4 - HKLM\..\Run: [adgjofcr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\adgjofcr.dll"
O4 - HKLM\..\Run: [ejpsoeja] C:\WINDOWS\system32\ejpsoeja.exe
O4 - HKLM\..\Run: [opongjel] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\opongjel.dll"
O4 - HKLM\..\Run: [dqbfxwug] C:\WINDOWS\system32\dqbfxwug.exe
O4 - HKLM\..\Run: [zopajkti] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zopajkti.dll"
O4 - HKLM\..\Policies\Explorer\Run: [1W8n5Hj86j] C:\WINDOWS\system32\winver.exe
O4 - HKUS\S-1-5-21-2078796503-1146995754-3289227676-1161\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c (User '?')
O4 - HKUS\S-1-5-21-2078796503-1146995754-3289227676-1161\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User '?')
O4 - HKUS\S-1-5-21-2078796503-1146995754-3289227676-1200\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://cfgmsbserver...emote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GMCF.local
O17 - HKLM\Software\..\Telephony: DomainName = GMCF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GMCF.local
O20 - Winlogon Notify: winvyl32 - C:\WINDOWS\SYSTEM32\winvyl32.dll
O21 - SSODL: RamCD - {e2a933b6-c2ce-4303-9f3d-85480bb58a9d} - C:\WINDOWS\Installer\{e2a933b6-c2ce-4303-9f3d-85480bb58a9d}\RamCD.dll
O21 - SSODL: RamChk - {f573a43d-3168-4074-be9d-80dde7125ab9} - C:\WINDOWS\Installer\{f573a43d-3168-4074-be9d-80dde7125ab9}\RamChk.dll
O21 - SSODL: CDChk - {c862cc93-6717-4493-bb98-8b8a5fe7d87e} - C:\WINDOWS\Installer\{c862cc93-6717-4493-bb98-8b8a5fe7d87e}\CDChk.dll
O21 - SSODL: WinDrv - {98ced6e5-a062-450e-80fd-470c86fd1f4a} - C:\WINDOWS\Installer\{98ced6e5-a062-450e-80fd-470c86fd1f4a}\WinDrv.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\cfsb.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/cfgeca/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - http://www.bjork.com...dwaldman_01.jpg

--
End of file - 12178 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
  • Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.
  • 0

#3
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Rorschach112, thank you so much for your help and reply. It's nice to think I'm going to get this sorted out!

Zip file attached.

Emma

Attached Files


  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download the zipped attachment at the end of this post(this will be your runscanner as fixed by me)

  • Unzip it to your desktop then double click the runscanner icon this will run the program.
  • Click on the "Item Fixer" tab
  • You will notice several entries with a tick in red, click Fix checked.
  • Accept the warning then repeat until they are all gone.




Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    c:\windows\system32\ebnssatq.exe
    c:\windows\system32\ejpsoeja.exe
    c:\windows\system32\dqbfxwug.exe
    c:\windows\system32\txrxdaer.exe
    c:\windows\system32\ssqqjcrp.dll
    c:\windows\system32\xmecaqxv.dll
    c:\windows\system32\mvgnbhyx.dll
    c:\windows\system32\slwslbpz.dll
    c:\windows\system32\fomefhfr.dll
    c:\windows\installer\{e2a933b6-c2ce-4303-9f3d-85480bb58a9d}
    c:\windows\installer\{f573a43d-3168-4074-be9d-80dde7125ab9}
    c:\windows\installer\{c862cc93-6717-4493-bb98-8b8a5fe7d87e}
    c:\windows\installer\{98ced6e5-a062-450e-80fd-470c86fd1f4a}
    c:\windows\installer\{704eb042-147a-4594-b2c2-005bd2c7930b}
    C:\WINDOWS\system32\ssqqjcrp.dll
    C:\WINDOWS\system32\winvyl32.dll
    c:\windows\system32\n65kfn3y.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Reboot and do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok. Bit of a stumbling block as the OT moveit 2 crashed after several attempts. I wrote down the results as it would not allow me to copy.... so.... there may be some spaces in the wrong places...

File\FolderC:\windows\system32\ebnssatq.exe not found
File\FolderC:\windows\system32\ejpsoeja.exe not found
File\FolderC:\windows\system32\dqbfxwug.exe not found
File\FolderC:\windows\system32\txrxdaer.exe not found

DllUnregiesterserverprocedure not found in
C:\windows\system32\ssqqjcrp.dll
C:\windows\system32\ssqqjcrp.dll NOT unregistered
C:\windows\system32\ssqqjcrp.dll scheduled to be moved on reboot.

Did a reboot, all a bit slow and clunky... then below are the main.txt and the extra.txt

Thanks!


Deckard's System Scanner v20071014.68
Run by cfgeca on 2008-04-01 13:25:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-04-01 12:25:50 UTC - RP434 - Deckard's System Scanner Restore Point
41: 2008-03-31 11:29:03 UTC - RP433 - System Checkpoint
40: 2008-03-27 11:00:50 UTC - RP432 - Installed Ad-Aware 2007
39: 2008-03-25 12:49:20 UTC - RP431 - System Checkpoint
38: 2008-03-20 12:47:12 UTC - RP430 - System Checkpoint


-- First Restore Point --
1: 2008-01-02 08:16:23 UTC - RP393 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as cfgeca.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:30:16, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\VU5BBE.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\cfgeca\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cfgeca.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\ssqQJCrp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CE0FBE2B-A420-4F1C-9F72-7E2C2685E62E} - C:\WINDOWS\system32\mlJCUMGA.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [adgjofcr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\adgjofcr.dll"
O4 - HKLM\..\Run: [opongjel] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\opongjel.dll"
O4 - HKLM\..\Run: [zopajkti] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zopajkti.dll"
O4 - HKLM\..\Run: [ryhkncpq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll"
O4 - HKLM\..\Policies\Explorer\Run: [1W8n5Hj86j] C:\WINDOWS\system32\winver.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://cfgmsbserver...emote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GMCF.local
O17 - HKLM\Software\..\Telephony: DomainName = GMCF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GMCF.local
O20 - Winlogon Notify: ssqQJCrp - C:\WINDOWS\SYSTEM32\ssqQJCrp.dll
O20 - Winlogon Notify: winvyl32 - C:\WINDOWS\SYSTEM32\winvyl32.dll
O21 - SSODL: MonDrive - {704eb042-147a-4594-b2c2-005bd2c7930b} - C:\WINDOWS\Installer\{704eb042-147a-4594-b2c2-005bd2c7930b}\MonDrive.dll
O21 - SSODL: RamChk - {f573a43d-3168-4074-be9d-80dde7125ab9} - C:\WINDOWS\Installer\{f573a43d-3168-4074-be9d-80dde7125ab9}\RamChk.dll
O21 - SSODL: CDChk - {c862cc93-6717-4493-bb98-8b8a5fe7d87e} - C:\WINDOWS\Installer\{c862cc93-6717-4493-bb98-8b8a5fe7d87e}\CDChk.dll
O21 - SSODL: WinDrv - {98ced6e5-a062-450e-80fd-470c86fd1f4a} - C:\WINDOWS\Installer\{98ced6e5-a062-450e-80fd-470c86fd1f4a}\WinDrv.dll
O21 - SSODL: RamCD - {e2a933b6-c2ce-4303-9f3d-85480bb58a9d} - C:\WINDOWS\Installer\{e2a933b6-c2ce-4303-9f3d-85480bb58a9d}\RamCD.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11218 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 Crypto - c:\windows\system32\drivers\crypto.sys <Not Verified; SafeNet; SafeNet CSP>
R2 IPSECDRV (SafeNet IPSec Plugin) - c:\windows\system32\drivers\ipsecdrv.sys <Not Verified; SafeNet; SafeNet VPN Client>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TM_CFW (Common Firewall Driver) - c:\program files\trend micro\client server security agent\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>

S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 IPSECMON (SafeNet Monitor Service) - "c:\program files\zyxel\zywall vpn client\ipsecmon.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 IREIKE (SafeNet IKE Service) - "c:\program files\zyxel\zywall vpn client\ireike.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\program files\trend micro\client server security agent\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27228086&REV_05\4&2FA23535&0&18F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27228086&REV_05\4&2FA23535&0&18F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS


-- Files created between 2008-03-01 and 2008-04-01 -----------------------------

2008-04-01 12:37:58 6555 --ahs---- C:\WINDOWS\system32\AGMUCJlm.ini2
2008-04-01 12:37:52 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll
2008-04-01 09:34:18 118784 --a------ C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll
2008-04-01 09:34:09 118784 --a------ C:\WINDOWS\system32\slwslbpz.dll
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll
2008-03-28 10:43:22 98304 --a------ C:\Documents and Settings\All Users\Application Data\zopajkti.dll
2008-03-28 10:43:21 98304 --a------ C:\WINDOWS\system32\mvgnbhyx.dll
2008-03-27 17:18:06 0 d-------- C:\Program Files\PC-Cleaner
2008-03-27 14:07:03 131072 --a------ C:\Documents and Settings\All Users\Application Data\opongjel.dll
2008-03-27 14:07:02 131072 --a------ C:\WINDOWS\system32\fomefhfr.dll
2008-03-27 13:26:46 0 d-------- C:\Program Files\AvantGo Connect
2008-03-27 13:25:58 65613 --a------ C:\WINDOWS\system32\ppvexp.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:57 24652 --a------ C:\WINDOWS\system32\uicom.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 65615 --a------ C:\WINDOWS\system32\pmailext.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 57423 --a------ C:\WINDOWS\system32\MsgStRPC.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 114688 --a------ C:\WINDOWS\system32\malslib.dll <Not Verified; AvantGo, Inc.; AvantGo Connect>
2008-03-27 13:25:56 77899 --a------ C:\WINDOWS\system32\rapi.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 36942 --a------ C:\WINDOWS\system32\ppcload.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 24653 --a------ C:\WINDOWS\system32\ceutil.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 12:32:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:30:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 15:21:26 0 d-------- C:\Documents and Settings\cfgeca\.housecall6.6
2008-03-26 11:52:43 102400 --a------ C:\WINDOWS\system32\xmecaqxv.dll
2008-03-26 11:52:43 102400 --a------ C:\Documents and Settings\All Users\Application Data\adgjofcr.dll
2008-03-26 11:21:09 25600 --a------ C:\WINDOWS\system32\winvyl32.dll
2008-03-26 11:21:05 25600 --a------ C:\WINDOWS\system32\winfiz32.dll
2008-03-19 11:01:32 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Datalayer
2008-03-17 12:57:48 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-17 12:57:17 0 d-------- C:\Program Files\Real
2008-03-17 12:57:12 0 d-------- C:\Program Files\Common Files\Real
2008-03-17 12:57:11 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Real
2008-03-03 10:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-02 13:01:02 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Nokia
2008-03-02 13:00:13 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-02 12:59:48 0 d-------- C:\Program Files\DIFX
2008-03-02 12:59:43 0 d-------- C:\Documents and Settings\cfgeca\Application Data\PC Suite
2008-03-02 12:59:29 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-02 12:58:52 0 d-------- C:\Program Files\Nokia
2008-03-02 12:54:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations


-- Find3M Report ---------------------------------------------------------------

2008-04-01 13:11:59 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-03-31 12:43:29 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:21:05 0 d-------- C:\Program Files\Common Files
2008-03-27 14:21:01 0 d-------- C:\Program Files\Lavasoft
2008-03-27 13:26:48 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-25 12:30:37 0 d-------- C:\Documents and Settings\cfgeca\Application Data\AdobeUM
2008-03-02 13:00:15 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-02 12:58:16 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}]
01/04/2008 09:32 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE0FBE2B-A420-4F1C-9F72-7E2C2685E62E}]
01/04/2008 12:37 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [23/08/2007 11:09]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/08/2007 10:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/08/2007 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [23/08/2007 11:09]
"@"="" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [23/08/2007 11:09]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 08:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 01:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [24/08/2007 09:21]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 05:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 05:00 C:\WINDOWS\system32\bthprops.cpl]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 18:17]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/08/2005 19:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [29/03/2007 08:10]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [28/11/2006 15:12]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [17/03/2008 12:57]
"adgjofcr"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\adgjofcr.dll" []
"opongjel"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\opongjel.dll" []
"zopajkti"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\zopajkti.dll" []
"ryhkncpq"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 01:19:50]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [16/08/2004 19:52:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [08/08/2005 10:55:22]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [03/02/2000 01:11:00]
ZyWALL VPN Client.lnk - C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe [14/12/2006 15:49:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"1W8n5Hj86j"=C:\WINDOWS\system32\winver.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}"= C:\WINDOWS\system32\ssqQJCrp.dll [01/04/2008 09:32 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MonDrive"= {704eb042-147a-4594-b2c2-005bd2c7930b} - C:\WINDOWS\Installer\{704eb042-147a-4594-b2c2-005bd2c7930b}\MonDrive.dll [01/04/2008 09:33 14374]
"RamChk"= {f573a43d-3168-4074-be9d-80dde7125ab9} - C:\WINDOWS\Installer\{f573a43d-3168-4074-be9d-80dde7125ab9}\RamChk.dll [27/03/2008 10:39 14374]
"CDChk"= {c862cc93-6717-4493-bb98-8b8a5fe7d87e} - C:\WINDOWS\Installer\{c862cc93-6717-4493-bb98-8b8a5fe7d87e}\CDChk.dll [27/03/2008 14:07 14374]
"WinDrv"= {98ced6e5-a062-450e-80fd-470c86fd1f4a} - C:\WINDOWS\Installer\{98ced6e5-a062-450e-80fd-470c86fd1f4a}\WinDrv.dll [28/03/2008 10:43 14374]
"RamCD"= {e2a933b6-c2ce-4303-9f3d-85480bb58a9d} - C:\WINDOWS\Installer\{e2a933b6-c2ce-4303-9f3d-85480bb58a9d}\RamCD.dll [26/03/2008 11:52 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQJCrp]
ssqQJCrp.dll 01/04/2008 09:32 40448 C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winvyl32]
winvyl32.dll 26/03/2008 11:21 25600 C:\WINDOWS\system32\winvyl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCUMGA

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-04-01 13:33:39 ------------

administrator.CFGM (admin)
marienne (new local, admin)
locad (admin)
__sbs_netsetup__ (new local, admin)
Administrator (admin)
marienne.CFGMSBS (admin)
emma (admin)
administrator.CFGMSBS (admin)
cfgeca (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 Beta --> MsiExec.exe /X{25081482-E242-4FE3-B552-FDC8BA88C90E}
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{64A77F14-0E08-4A97-A859-E93CFF428756} /l1033
Broadcom ASF Management Applications --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
Broadcom Gigabit Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft ActiveSync 3.8 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft MapPoint Europe 2004 --> MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790240}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Nokia Connectivity Cable Driver --> MsiExec.exe /X{3BFFC6B8-4EC0-4240-858C-998FD4077983}
Nokia PC Suite --> MsiExec.exe /I{02091327-B124-4216-9D71-58C0E24F5392}
PC Connectivity Solution --> MsiExec.exe /I{04F3BF74-9E34-4D3E-93C3-D3D1F24199C8}
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Shadow Copy Client --> MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Sitecom Bluetooth Software --> MsiExec.exe /X{90535871-81B9-4D99-8A13-A7EE97F2D7FE}
SmarterMail Sync for Outlook --> MsiExec.exe /X{6567F265-62EC-4BA9-9629-6B483B608854}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sony Ericsson PC Suite 1.20.224 --> MsiExec.exe /I{7689CA7A-1270-425A-9959-EB4CB25EA29A}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SyncThru --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Samsung Network Printer Utilities\SyncThru\Uninst.isu" -c"C:\Program Files\Samsung Network Printer Utilities\SyncThru\_Uninst.dll"
Trend Micro Client/Server Security Agent --> "C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe"
UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Xerox Support Centre --> C:\Program Files\Xerox\Support Centre\supportuninstall.exe
ZyWALL VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\ZyXEL\ZyWALL VPN Client\Setup\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type7134 / Error
Event Submitted/Written: 04/01/2008 01:21:47 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type7133 / Error
Event Submitted/Written: 04/01/2008 01:21:22 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7126 / Error
Event Submitted/Written: 04/01/2008 01:10:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application OTMoveIt2.exe, version 1.0.21.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7125 / Error
Event Submitted/Written: 04/01/2008 00:27:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application OTMoveIt2.exe, version 1.0.21.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7124 / Error
Event Submitted/Written: 04/01/2008 00:25:48 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application OTMoveIt2.exe, version 1.0.21.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type42529 / Error
Event Submitted/Written: 04/01/2008 01:11:16 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Event Record #/Type42524 / Error
Event Submitted/Written: 04/01/2008 00:00:00 PM
Event ID/Source: 7901 / Schedule
Event Description:
The At13.job command failed to start due to the following error:
%%2147942405

Event Record #/Type42523 / Error
Event Submitted/Written: 04/01/2008 11:00:00 AM
Event ID/Source: 7901 / Schedule
Event Description:
The At12.job command failed to start due to the following error:
%%2147942405

Event Record #/Type42522 / Warning
Event Submitted/Written: 04/01/2008 10:20:44 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type42521 / Warning
Event Submitted/Written: 04/01/2008 10:20:41 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.



-- End of Deckard's System Scanner: finished at 2008-04-01 13:33:39 ------------
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Reboot and post a new DSS log
  • 0

#7
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello, fix is on hold right now as I seem to be unable to log on in safe mode. I am awaiting to hear back from IT support to see if I can get an admin password.

Thanks so far.
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok, if you can't get into Safe Mode we can try fix it from Normal Mode

Let me know
  • 0

#9
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Morning Rorschach, Still no word from IT, please can you help me try to fix in normal mode as the computer has slowed down A LOT and i'm getting more pop ups and it's almost too much to bear!

Emma :)
  • 0

#10
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK, IT did the smit fraud while i was out of the office, logs are below. Hope this is getting us closer!

Emma

SmitFraudFix v2.309

Scan done at 14:33:06.81, 02/04/2008
Run from C:\Documents and Settings\cfgeca\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\Installer\{704eb042-147a-4594-b2c2-005bd2c7930b}\MonDrive.dll deleted
C:\WINDOWS\Installer\{f573a43d-3168-4074-be9d-80dde7125ab9}\RamChk.dll deleted
C:\WINDOWS\Installer\{c862cc93-6717-4493-bb98-8b8a5fe7d87e}\CDChk.dll deleted
C:\WINDOWS\Installer\{98ced6e5-a062-450e-80fd-470c86fd1f4a}\WinDrv.dll deleted
C:\WINDOWS\Installer\{e2a933b6-c2ce-4303-9f3d-85480bb58a9d}\RamCD.dll deleted


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{384F0137-0839-4F47-91E6-B126C28365AB}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{384F0137-0839-4F47-91E6-B126C28365AB}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{384F0137-0839-4F47-91E6-B126C28365AB}: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Deckard's System Scanner v20071014.68
Run by cfgeca on 2008-04-02 16:12:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as cfgeca.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:16, on 02/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\WEE54C.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\cfgeca\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cfgeca.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {4d8f8ce9-25d6-5869-20f4-734c2f064591} - {195460f2-c437-4f02-9685-6d529ec8f8d4} - C:\WINDOWS\system32\ovmlqwsh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\ssqQJCrp.dll
O2 - BHO: (no name) - {A53347AE-3D93-4002-828F-E1AC8BB58A60} - C:\WINDOWS\system32\mlJCUMGA.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Policies\Explorer\Run: [1W8n5Hj86j] C:\WINDOWS\system32\winver.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://cfgmsbserver...emote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GMCF.local
O17 - HKLM\Software\..\Telephony: DomainName = GMCF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GMCF.local
O20 - Winlogon Notify: ssqQJCrp - C:\WINDOWS\SYSTEM32\ssqQJCrp.dll
O20 - Winlogon Notify: winvyl32 - C:\WINDOWS\SYSTEM32\winvyl32.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9850 bytes

-- Files created between 2008-03-02 and 2008-04-02 -----------------------------

2008-04-02 14:33:24 3860 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 14:32:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-02 14:32:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-02 14:32:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-02 14:32:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-02 14:32:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-02 14:32:23 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-02 14:32:23 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Templates
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Start Menu
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\SendTo
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Recent
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\PrintHood
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\NetHood
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\My Documents
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Local Settings
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Favorites
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Desktop
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Cookies
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Application Data
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sun
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sonic
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Application Data\Microsoft
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Intel
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Identities
2008-04-02 14:21:54 786432 --ah----- C:\Documents and Settings\administrator.GMCF\NTUSER.DAT
2008-04-02 09:45:54 90688 --a------ C:\WINDOWS\system32\ovmlqwsh.dll
2008-04-02 09:43:39 85568 --a------ C:\WINDOWS\system32\ofsymwnl.dll
2008-04-02 09:34:08 88128 --a------ C:\WINDOWS\system32\mbqkgfsb.dll
2008-04-01 12:37:58 251943 --ahs---- C:\WINDOWS\system32\AGMUCJlm.ini2
2008-04-01 12:37:52 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll
2008-04-01 09:34:18 118784 --a------ C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll
2008-04-01 09:34:09 118784 --a------ C:\WINDOWS\system32\slwslbpz.dll
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll
2008-03-28 10:43:22 98304 --a------ C:\Documents and Settings\All Users\Application Data\zopajkti.dll
2008-03-28 10:43:21 98304 --a------ C:\WINDOWS\system32\mvgnbhyx.dll
2008-03-27 17:18:06 0 d-------- C:\Program Files\PC-Cleaner
2008-03-27 14:07:03 131072 --a------ C:\Documents and Settings\All Users\Application Data\opongjel.dll
2008-03-27 14:07:02 131072 --a------ C:\WINDOWS\system32\fomefhfr.dll
2008-03-27 13:26:46 0 d-------- C:\Program Files\AvantGo Connect
2008-03-27 13:25:58 65613 --a------ C:\WINDOWS\system32\ppvexp.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:57 24652 --a------ C:\WINDOWS\system32\uicom.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 65615 --a------ C:\WINDOWS\system32\pmailext.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 57423 --a------ C:\WINDOWS\system32\MsgStRPC.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 114688 --a------ C:\WINDOWS\system32\malslib.dll <Not Verified; AvantGo, Inc.; AvantGo Connect>
2008-03-27 13:25:56 77899 --a------ C:\WINDOWS\system32\rapi.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 36942 --a------ C:\WINDOWS\system32\ppcload.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 24653 --a------ C:\WINDOWS\system32\ceutil.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 12:32:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:30:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 15:21:26 0 d-------- C:\Documents and Settings\cfgeca\.housecall6.6
2008-03-26 11:52:43 102400 --a------ C:\WINDOWS\system32\xmecaqxv.dll
2008-03-26 11:52:43 102400 --a------ C:\Documents and Settings\All Users\Application Data\adgjofcr.dll
2008-03-26 11:21:09 25600 --a------ C:\WINDOWS\system32\winvyl32.dll
2008-03-26 11:21:05 25600 --a------ C:\WINDOWS\system32\winfiz32.dll
2008-03-19 11:01:32 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Datalayer
2008-03-17 12:57:48 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-17 12:57:17 0 d-------- C:\Program Files\Real
2008-03-17 12:57:12 0 d-------- C:\Program Files\Common Files\Real
2008-03-17 12:57:11 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Real
2008-03-03 10:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-02 13:01:02 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Nokia
2008-03-02 13:00:13 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-02 12:59:48 0 d-------- C:\Program Files\DIFX
2008-03-02 12:59:43 0 d-------- C:\Documents and Settings\cfgeca\Application Data\PC Suite
2008-03-02 12:59:29 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-02 12:58:52 0 d-------- C:\Program Files\Nokia
2008-03-02 12:54:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations


-- Find3M Report ---------------------------------------------------------------

2008-04-02 14:20:01 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-03-31 12:43:29 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:21:05 0 d-------- C:\Program Files\Common Files
2008-03-27 14:21:01 0 d-------- C:\Program Files\Lavasoft
2008-03-27 13:26:48 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-25 12:30:37 0 d-------- C:\Documents and Settings\cfgeca\Application Data\AdobeUM
2008-03-02 13:00:15 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-02 12:58:16 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{195460f2-c437-4f02-9685-6d529ec8f8d4}]
02/04/2008 09:45 90688 --a------ C:\WINDOWS\system32\ovmlqwsh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}]
01/04/2008 09:32 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A53347AE-3D93-4002-828F-E1AC8BB58A60}]
01/04/2008 12:37 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [23/08/2007 11:09]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/08/2007 10:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/08/2007 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [23/08/2007 11:09]
"@"="" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [23/08/2007 11:09]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 08:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 01:01]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 05:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 05:00 C:\WINDOWS\system32\bthprops.cpl]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 18:17]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/08/2005 19:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [29/03/2007 08:10]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [28/11/2006 15:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 01:19:50]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [16/08/2004 19:52:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [08/08/2005 10:55:22]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [03/02/2000 01:11:00]
ZyWALL VPN Client.lnk - C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe [14/12/2006 15:49:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"1W8n5Hj86j"=C:\WINDOWS\system32\winver.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}"= C:\WINDOWS\system32\ssqQJCrp.dll [01/04/2008 09:32 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQJCrp]
ssqQJCrp.dll 01/04/2008 09:32 40448 C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winvyl32]
winvyl32.dll 26/03/2008 11:21 25600 C:\WINDOWS\system32\winvyl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCUMGA

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-04-02 16:20:44 ------------
  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt
  • 0

#12
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello Rorschach. Followed the insturctions. After the scan in safe mode, I clicked to reboot, and the fixtool ran again. It flashed up that it was doing a Catchme scan and may take 5 minutes. After 20 nothing had changed so I closed the window. On my desktop was a log file called catchme. I have copied the contents below. After that follows main.txt and extra.txt

Thank you


catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 12:04:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ac77a6]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060ac77a6]

scanning hidden registry entries ...

scanning hidden files ...

C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1618433.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r16391033.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r17511025.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r17511026.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r17531371.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1647891.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1650470.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1801419.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1803670.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1804248.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1804451.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1952782.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1954142.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1623738.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1623754.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1623755.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r18101039.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r18511732.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1852748.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1917511.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1918042.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1919167.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r19451540.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1945867.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r19591285.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21071690.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21071738.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21271080.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21271097.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r2128911.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r22061437.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r22071016.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r22081298.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r23001015.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r23001016.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r23021845.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r2019347.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r2022817.LOG 92 bytes

Deckard's System Scanner v20071014.68
Run by cfgeca on 2008-04-03 12:32:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-04-03 11:32:54 UTC - RP436 - Deckard's System Scanner Restore Point
41: 2008-04-02 12:57:39 UTC - RP435 - System Checkpoint
40: 2008-04-01 12:25:50 UTC - RP434 - Deckard's System Scanner Restore Point
39: 2008-03-31 11:29:03 UTC - RP433 - System Checkpoint
38: 2008-03-27 11:00:50 UTC - RP432 - Installed Ad-Aware 2007


-- First Restore Point --
1: 2008-01-07 13:41:09 UTC - RP395 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 91% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as cfgeca.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:58, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\DJ5FE6.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\cfgeca\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cfgeca.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {7f25213e-83b4-0e8b-47e4-5589e488ab71} - {17ba884e-9855-4e74-b8e0-4b38e31252f7} - C:\WINDOWS\system32\gmrrtxrj.dll
O2 - BHO: (no name) - {220A45A7-10F0-4732-A847-007B23FA957D} - C:\WINDOWS\system32\mlJCUMGA.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\ssqQJCrp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [a8dc03c1] rundll32.exe "C:\WINDOWS\system32\kmyrgsrt.dll",b
O4 - HKLM\..\Run: [BMabef305d] Rundll32.exe "C:\WINDOWS\system32\tsvyahxb.dll",s
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://cfgmsbserver...emote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GMCF.local
O17 - HKLM\Software\..\Telephony: DomainName = GMCF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GMCF.local
O20 - Winlogon Notify: ssqQJCrp - C:\WINDOWS\SYSTEM32\ssqQJCrp.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9832 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080402-143029-837 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080402-143029-920 O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
backup-20080402-143030-182 O4 - HKLM\..\Run: [ryhkncpq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll"
backup-20080402-143030-279 O4 - HKLM\..\Run: [opongjel] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\opongjel.dll"
backup-20080402-143030-381 O4 - HKLM\..\Run: [a8dc03c1] rundll32.exe "C:\WINDOWS\system32\ofsymwnl.dll",b
backup-20080402-143030-883 O4 - HKLM\..\Run: [adgjofcr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\adgjofcr.dll"
backup-20080402-143030-915 O4 - HKLM\..\Run: [zopajkti] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zopajkti.dll"

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 Crypto - c:\windows\system32\drivers\crypto.sys <Not Verified; SafeNet; SafeNet CSP>
R2 IPSECDRV (SafeNet IPSec Plugin) - c:\windows\system32\drivers\ipsecdrv.sys <Not Verified; SafeNet; SafeNet VPN Client>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TM_CFW (Common Firewall Driver) - c:\program files\trend micro\client server security agent\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 catchme - c:\docume~1\cfgeca\locals~1\temp\catchme.sys (file missing)

S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 IPSECMON (SafeNet Monitor Service) - "c:\program files\zyxel\zywall vpn client\ipsecmon.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 IREIKE (SafeNet IKE Service) - "c:\program files\zyxel\zywall vpn client\ireike.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\program files\trend micro\client server security agent\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27228086&REV_05\4&2FA23535&0&18F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27228086&REV_05\4&2FA23535&0&18F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 928)
2004-09-07 16:08:06 110592 --a------ C:\Program Files\Intel\Wireless\Bin\LgNotify.dll <Not Verified; Intel Corporation; LogonNotify Dynamic Link Library>
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll

C:\WINDOWS\explorer.exe (pid 2100)
2008-04-01 12:37:55 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll
-- :: 0 --------- C:\DOCUME~1\cfgeca\LOCALS~1\Temp\catchme.dll
2008-04-03 10:01:16 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll
2008-04-03 10:08:43 86592 --a------ C:\WINDOWS\system32\kmyrgsrt.dll
2004-08-16 19:53:04 53248 --a------ C:\Program Files\Sitecom\Bluetooth Software\BTKeyInd.dll
2004-12-23 15:47:36 69632 --a------ C:\Program Files\Dell\QuickSet\dadkeyb.dll

C:\WINDOWS\system32\rundll32.exe (pid 888)
2008-04-03 10:01:16 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll

C:\WINDOWS\system32\rundll32.exe (pid 2516)
2008-04-03 10:08:43 86592 --a------ C:\WINDOWS\system32\kmyrgsrt.dll
2008-04-03 10:01:16 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll


-- Files created between 2008-03-03 and 2008-04-03 -----------------------------

2008-04-03 11:50:08 0 d-------- C:\WINDOWS\ERUNT
2008-04-03 10:08:43 86592 --a------ C:\WINDOWS\system32\kmyrgsrt.dll
2008-04-03 10:05:56 89152 --a------ C:\WINDOWS\system32\gmrrtxrj.dll
2008-04-03 10:01:13 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll
2008-04-02 14:33:24 3860 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 14:32:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-02 14:32:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-02 14:32:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-02 14:32:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-02 14:32:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-02 14:32:23 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Templates
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Start Menu
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\SendTo
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Recent
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\PrintHood
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\NetHood
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\My Documents
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Local Settings
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Favorites
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Desktop
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Cookies
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Application Data
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sun
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sonic
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Application Data\Microsoft
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Intel
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Identities
2008-04-02 14:21:54 786432 --ah----- C:\Documents and Settings\administrator.GMCF\NTUSER.DAT
2008-04-02 09:45:54 90688 --a------ C:\WINDOWS\system32\ovmlqwsh.dll
2008-04-02 09:43:39 85568 --a------ C:\WINDOWS\system32\ofsymwnl.dll
2008-04-02 09:34:08 88128 --a------ C:\WINDOWS\system32\mbqkgfsb.dll
2008-04-01 12:37:58 239976 --ahs---- C:\WINDOWS\system32\AGMUCJlm.ini2
2008-04-01 12:37:52 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll
2008-04-01 09:34:18 118784 --a------ C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll
2008-04-01 09:34:09 118784 --a------ C:\WINDOWS\system32\slwslbpz.dll
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll
2008-03-28 10:43:22 98304 --a------ C:\Documents and Settings\All Users\Application Data\zopajkti.dll
2008-03-28 10:43:21 98304 --a------ C:\WINDOWS\system32\mvgnbhyx.dll
2008-03-27 17:18:06 0 d-------- C:\Program Files\PC-Cleaner
2008-03-27 14:07:03 131072 --a------ C:\Documents and Settings\All Users\Application Data\opongjel.dll
2008-03-27 14:07:02 131072 --a------ C:\WINDOWS\system32\fomefhfr.dll
2008-03-27 13:26:46 0 d-------- C:\Program Files\AvantGo Connect
2008-03-27 13:25:58 65613 --a------ C:\WINDOWS\system32\ppvexp.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:57 24652 --a------ C:\WINDOWS\system32\uicom.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 65615 --a------ C:\WINDOWS\system32\pmailext.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 57423 --a------ C:\WINDOWS\system32\MsgStRPC.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 114688 --a------ C:\WINDOWS\system32\malslib.dll <Not Verified; AvantGo, Inc.; AvantGo Connect>
2008-03-27 13:25:56 77899 --a------ C:\WINDOWS\system32\rapi.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 36942 --a------ C:\WINDOWS\system32\ppcload.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 24653 --a------ C:\WINDOWS\system32\ceutil.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 12:32:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:30:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 15:21:26 0 d-------- C:\Documents and Settings\cfgeca\.housecall6.6
2008-03-26 11:52:43 102400 --a------ C:\WINDOWS\system32\xmecaqxv.dll
2008-03-26 11:52:43 102400 --a------ C:\Documents and Settings\All Users\Application Data\adgjofcr.dll
2008-03-26 11:21:05 25600 --a------ C:\WINDOWS\system32\winfiz32.dll
2008-03-19 11:01:32 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Datalayer
2008-03-17 12:57:48 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-17 12:57:17 0 d-------- C:\Program Files\Real
2008-03-17 12:57:12 0 d-------- C:\Program Files\Common Files\Real
2008-03-17 12:57:11 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Real
2008-03-03 10:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite


-- Find3M Report ---------------------------------------------------------------

2008-04-03 11:47:12 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-03-31 12:43:29 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:21:05 0 d-------- C:\Program Files\Common Files
2008-03-27 14:21:01 0 d-------- C:\Program Files\Lavasoft
2008-03-27 13:26:48 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-25 12:30:37 0 d-------- C:\Documents and Settings\cfgeca\Application Data\AdobeUM
2008-03-06 11:56:55 0 d-------- C:\Documents and Settings\cfgeca\Application Data\PC Suite
2008-03-06 11:38:13 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Nokia
2008-03-02 13:00:15 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-02 13:00:13 0 d-------- C:\Program Files\Nokia
2008-03-02 13:00:13 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-02 12:59:48 0 d-------- C:\Program Files\DIFX
2008-03-02 12:59:30 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-02 12:58:16 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17ba884e-9855-4e74-b8e0-4b38e31252f7}]
03/04/2008 10:05 89152 --a------ C:\WINDOWS\system32\gmrrtxrj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220A45A7-10F0-4732-A847-007B23FA957D}]
01/04/2008 12:37 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}]
01/04/2008 09:32 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [23/08/2007 11:09]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/08/2007 10:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/08/2007 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [23/08/2007 11:09]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [23/08/2007 11:09]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 08:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 01:01]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 05:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 05:00 C:\WINDOWS\system32\bthprops.cpl]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 18:17]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/08/2005 19:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [29/03/2007 08:10]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [28/11/2006 15:12]
"a8dc03c1"="C:\WINDOWS\system32\kmyrgsrt.dll" [03/04/2008 10:08]
"BMabef305d"="C:\WINDOWS\system32\tsvyahxb.dll" [03/04/2008 10:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 01:19:50]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [16/08/2004 19:52:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [08/08/2005 10:55:22]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [03/02/2000 01:11:00]
ZyWALL VPN Client.lnk - C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe [14/12/2006 15:49:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}"= C:\WINDOWS\system32\ssqQJCrp.dll [01/04/2008 09:32 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQJCrp]
ssqQJCrp.dll 01/04/2008 09:32 40448 C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCUMGA

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-04-03 12:41:45 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 84%
Physical Memory (total/avail): 503.36 MiB / 75.56 MiB
Pagefile Memory (total/avail): 1227.32 MiB / 793.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1900.34 MiB

C: is Fixed (NTFS) - 37.16 GiB total, 27.37 GiB free.
D: is CDROM (UDF)
H: is Network (NTFS)
P: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - TOSHIBA MK4026GAX - 37.26 GiB - 2 partitions
\PARTITION0 - Unknown - 94.1 MiB
\PARTITION1 (bootable) - Installable File System - 37.16 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Trend Micro Client-Server Security Agent Firewall v7.6.1095 (TrendFirewall) Disabled
AV: Trend Micro Client-Server Security Agent AntiVirus v7.6.1095 (TrendAntiVirus)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Utility\\Installer\\InstallationManager.exe"="D:\\Utility\\Installer\\InstallationManager.exe:*:Enabled:Xerox Windows Common Print Driver Installer"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\IreIKE.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\ViewLog.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\CmonApp.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\vpn.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\TEMP\\win19.exe"="C:\\WINDOWS\\TEMP\\win19.exe:*:Enabled:win19"
"C:\\WINDOWS\\TEMP\\win34.exe"="C:\\WINDOWS\\TEMP\\win34.exe:*:Enabled:win34"
"C:\\WINDOWS\\TEMP\\winA5.exe"="C:\\WINDOWS\\TEMP\\winA5.exe:*:Enabled:winA5"
"C:\\WINDOWS\\TEMP\\winBB.exe"="C:\\WINDOWS\\TEMP\\winBB.exe:*:Enabled:winBB"
"C:\\WINDOWS\\TEMP\\win107.exe"="C:\\WINDOWS\\TEMP\\win107.exe:*:Enabled:win107"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\IreIKE.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\IreIKE.exe:*:Enabled:IreIke"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\ViewLog.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\CmonApp.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\vpn.exe"="C:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cfgeca\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC10733
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\cfgeca
LOGONSERVER=\\CFGMSBSERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SBSSERVER=CFGMSBSERVER
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cfgeca\LOCALS~1\Temp
TMP=C:\DOCUME~1\cfgeca\LOCALS~1\Temp
USERDNSDOMAIN=GMCF.LOCAL
USERDOMAIN=GMCF
USERNAME=cfgeca
USERPROFILE=C:\Documents and Settings\cfgeca
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

marienne.CFGM
administrator.CFGM (admin)
marienne (new local, admin)
locad (admin)
__sbs_netsetup__ (new local, admin)
Administrator (admin)
marienne.CFGMSBS (admin)
emma (admin)
administrator.CFGMSBS (admin)
cfgeca (admin)
administrator.GMCF (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 Beta --> MsiExec.exe /X{25081482-E242-4FE3-B552-FDC8BA88C90E}
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{64A77F14-0E08-4A97-A859-E93CFF428756} /l1033
Broadcom ASF Management Applications --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
Broadcom Gigabit Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft ActiveSync 3.8 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft MapPoint Europe 2004 --> MsiExec.exe /I{8704D51E-25B7-4F23-81E7-AA4F54790240}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Nokia Connectivity Cable Driver --> MsiExec.exe /X{3BFFC6B8-4EC0-4240-858C-998FD4077983}
Nokia PC Suite --> MsiExec.exe /I{02091327-B124-4216-9D71-58C0E24F5392}
PC Connectivity Solution --> MsiExec.exe /I{04F3BF74-9E34-4D3E-93C3-D3D1F24199C8}
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Shadow Copy Client --> MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Sitecom Bluetooth Software --> MsiExec.exe /X{90535871-81B9-4D99-8A13-A7EE97F2D7FE}
SmarterMail Sync for Outlook --> MsiExec.exe /X{6567F265-62EC-4BA9-9629-6B483B608854}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sony Ericsson PC Suite 1.20.224 --> MsiExec.exe /I{7689CA7A-1270-425A-9959-EB4CB25EA29A}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SyncThru --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Samsung Network Printer Utilities\SyncThru\Uninst.isu" -c"C:\Program Files\Samsung Network Printer Utilities\SyncThru\_Uninst.dll"
Trend Micro Client/Server Security Agent --> "C:\Program Files\Trend Micro\Client Server Security Agent\ntrmv.exe"
UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
Windows Driver Package - Nokia (WUDFRd) WPD (11/03/2006 6.82.26.2) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_6B630EE2E66584353C6CD8683D447072872F34D8\pccswpddriver.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Xerox Support Centre --> C:\Program Files\Xerox\Support Centre\supportuninstall.exe
ZyWALL VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\ZyXEL\ZyWALL VPN Client\Setup\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type7158 / Warning
Event Submitted/Written: 04/02/2008 02:34:00 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type7157 / Warning
Event Submitted/Written: 04/02/2008 02:34:00 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{90110409-6000-11D3-8CFE-0150048383C9}', feature 'OfficeUserData', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Event Record #/Type7134 / Error
Event Submitted/Written: 04/01/2008 01:21:47 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type7133 / Error
Event Submitted/Written: 04/01/2008 01:21:22 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type7126 / Error
Event Submitted/Written: 04/01/2008 01:10:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application OTMoveIt2.exe, version 1.0.21.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type42716 / Error
Event Submitted/Written: 04/03/2008 11:49:50 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
APPDRV
Fips
intelppm

Event Record #/Type42715 / Error
Event Submitted/Written: 04/03/2008 11:49:21 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type42679 / Warning
Event Submitted/Written: 04/02/2008 03:52:25 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type42678 / Warning
Event Submitted/Written: 04/02/2008 03:52:24 PM / 04/02/2008 03:52:25 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type42654 / Error
Event Submitted/Written: 04/02/2008 02:36:24 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-04-03 12:41:45 ------------
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the SDFix report


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#14
memmsy

memmsy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello Rorschach. Followed the insturctions. After the scan in safe mode, I clicked to reboot, and the fixtool ran again. It flashed up that it was doing a Catchme scan and may take 5 minutes. After 20 nothing had changed so I closed the window. On my desktop was a log file called catchme. I have copied the contents below. After that follows main.txt and extra.txt

Thank you


catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 12:04:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060ac77a6]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060ac77a6]

scanning hidden registry entries ...

scanning hidden files ...

C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1618433.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r16391033.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r17511025.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r17511026.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r17531371.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1647891.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1650470.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1801419.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1803670.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1804248.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1804451.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1952782.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1954142.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1623738.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1623754.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1623755.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r18101039.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r18511732.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1852748.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1917511.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1918042.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r1919167.LOG 92 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r19451540.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r1945867.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r19591285.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21071690.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21071738.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21271080.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r21271097.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r2128911.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r22061437.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r22071016.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r22081298.LOG 292 bytes
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r23001015.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r23001016.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\_r23021845.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r2019347.LOG
C:\Program Files\Trend Micro\Client Server Security Agent\HLog\r2022817.LOG 92 bytes

Deckard's System Scanner v20071014.68
Run by cfgeca on 2008-04-03 12:32:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-04-03 11:32:54 UTC - RP436 - Deckard's System Scanner Restore Point
41: 2008-04-02 12:57:39 UTC - RP435 - System Checkpoint
40: 2008-04-01 12:25:50 UTC - RP434 - Deckard's System Scanner Restore Point
39: 2008-03-31 11:29:03 UTC - RP433 - System Checkpoint
38: 2008-03-27 11:00:50 UTC - RP432 - Installed Ad-Aware 2007


-- First Restore Point --
1: 2008-01-07 13:41:09 UTC - RP395 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 91% (more than 75%).
Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as cfgeca.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:58, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\DJ5FE6.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\cfgeca\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cfgeca.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {7f25213e-83b4-0e8b-47e4-5589e488ab71} - {17ba884e-9855-4e74-b8e0-4b38e31252f7} - C:\WINDOWS\system32\gmrrtxrj.dll
O2 - BHO: (no name) - {220A45A7-10F0-4732-A847-007B23FA957D} - C:\WINDOWS\system32\mlJCUMGA.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\ssqQJCrp.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [a8dc03c1] rundll32.exe "C:\WINDOWS\system32\kmyrgsrt.dll",b
O4 - HKLM\..\Run: [BMabef305d] Rundll32.exe "C:\WINDOWS\system32\tsvyahxb.dll",s
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://cfgmsbserver...emote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GMCF.local
O17 - HKLM\Software\..\Telephony: DomainName = GMCF.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GMCF.local
O20 - Winlogon Notify: ssqQJCrp - C:\WINDOWS\SYSTEM32\ssqQJCrp.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9832 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080402-143029-837 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080402-143029-920 O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
backup-20080402-143030-182 O4 - HKLM\..\Run: [ryhkncpq] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll"
backup-20080402-143030-279 O4 - HKLM\..\Run: [opongjel] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\opongjel.dll"
backup-20080402-143030-381 O4 - HKLM\..\Run: [a8dc03c1] rundll32.exe "C:\WINDOWS\system32\ofsymwnl.dll",b
backup-20080402-143030-883 O4 - HKLM\..\Run: [adgjofcr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\adgjofcr.dll"
backup-20080402-143030-915 O4 - HKLM\..\Run: [zopajkti] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zopajkti.dll"

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 Crypto - c:\windows\system32\drivers\crypto.sys <Not Verified; SafeNet; SafeNet CSP>
R2 IPSECDRV (SafeNet IPSec Plugin) - c:\windows\system32\drivers\ipsecdrv.sys <Not Verified; SafeNet; SafeNet VPN Client>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 TM_CFW (Common Firewall Driver) - c:\program files\trend micro\client server security agent\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Micro Common Firewall Module 1.2>
R3 catchme - c:\docume~1\cfgeca\locals~1\temp\catchme.sys (file missing)

S3 SE27mgmt (Sony Ericsson Device 039 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\se27mgmt.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC Device Management>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\windows\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 SE27obex (Sony Ericsson Device 039 USB WMC OBEX Interface) - c:\windows\system32\drivers\se27obex.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB WMC OBEX Interface>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\windows\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 IPSECMON (SafeNet Monitor Service) - "c:\program files\zyxel\zywall vpn client\ipsecmon.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 IREIKE (SafeNet IKE Service) - "c:\program files\zyxel\zywall vpn client\ireike.exe" <Not Verified; SafeNet; SafeNet VPN Client>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 OfcPfwSvc (Trend Micro Client/Server Security Agent Personal Firewall) - c:\program files\trend micro\client server security agent\ofcpfwsvc.exe <Not Verified; Trend Micro Inc.; Trend Micro Client/Server/Messaging Security for SMB>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27228086&REV_05\4&2FA23535&0&18F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27228086&REV_05\4&2FA23535&0&18F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 928)
2004-09-07 16:08:06 110592 --a------ C:\Program Files\Intel\Wireless\Bin\LgNotify.dll <Not Verified; Intel Corporation; LogonNotify Dynamic Link Library>
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll

C:\WINDOWS\explorer.exe (pid 2100)
2008-04-01 12:37:55 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll
-- :: 0 --------- C:\DOCUME~1\cfgeca\LOCALS~1\Temp\catchme.dll
2008-04-03 10:01:16 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll
2008-04-03 10:08:43 86592 --a------ C:\WINDOWS\system32\kmyrgsrt.dll
2004-08-16 19:53:04 53248 --a------ C:\Program Files\Sitecom\Bluetooth Software\BTKeyInd.dll
2004-12-23 15:47:36 69632 --a------ C:\Program Files\Dell\QuickSet\dadkeyb.dll

C:\WINDOWS\system32\rundll32.exe (pid 888)
2008-04-03 10:01:16 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll

C:\WINDOWS\system32\rundll32.exe (pid 2516)
2008-04-03 10:08:43 86592 --a------ C:\WINDOWS\system32\kmyrgsrt.dll
2008-04-03 10:01:16 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll


-- Files created between 2008-03-03 and 2008-04-03 -----------------------------

2008-04-03 11:50:08 0 d-------- C:\WINDOWS\ERUNT
2008-04-03 10:08:43 86592 --a------ C:\WINDOWS\system32\kmyrgsrt.dll
2008-04-03 10:05:56 89152 --a------ C:\WINDOWS\system32\gmrrtxrj.dll
2008-04-03 10:01:13 88640 --a------ C:\WINDOWS\system32\tsvyahxb.dll
2008-04-02 14:33:24 3860 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 14:32:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-02 14:32:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-02 14:32:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-02 14:32:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-02 14:32:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-02 14:32:23 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Templates
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Start Menu
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\SendTo
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Recent
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\PrintHood
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\NetHood
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\My Documents
2008-04-02 14:21:55 0 d--h----- C:\Documents and Settings\administrator.GMCF\Local Settings
2008-04-02 14:21:55 0 dr------- C:\Documents and Settings\administrator.GMCF\Favorites
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Desktop
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Cookies
2008-04-02 14:21:55 0 dr-h----- C:\Documents and Settings\administrator.GMCF\Application Data
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sun
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Sonic
2008-04-02 14:21:55 0 d---s---- C:\Documents and Settings\administrator.GMCF\Application Data\Microsoft
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Intel
2008-04-02 14:21:55 0 d-------- C:\Documents and Settings\administrator.GMCF\Application Data\Identities
2008-04-02 14:21:54 786432 --ah----- C:\Documents and Settings\administrator.GMCF\NTUSER.DAT
2008-04-02 09:45:54 90688 --a------ C:\WINDOWS\system32\ovmlqwsh.dll
2008-04-02 09:43:39 85568 --a------ C:\WINDOWS\system32\ofsymwnl.dll
2008-04-02 09:34:08 88128 --a------ C:\WINDOWS\system32\mbqkgfsb.dll
2008-04-01 12:37:58 239976 --ahs---- C:\WINDOWS\system32\AGMUCJlm.ini2
2008-04-01 12:37:52 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll
2008-04-01 09:34:18 118784 --a------ C:\Documents and Settings\All Users\Application Data\ryhkncpq.dll
2008-04-01 09:34:09 118784 --a------ C:\WINDOWS\system32\slwslbpz.dll
2008-04-01 09:32:35 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll
2008-03-28 10:43:22 98304 --a------ C:\Documents and Settings\All Users\Application Data\zopajkti.dll
2008-03-28 10:43:21 98304 --a------ C:\WINDOWS\system32\mvgnbhyx.dll
2008-03-27 17:18:06 0 d-------- C:\Program Files\PC-Cleaner
2008-03-27 14:07:03 131072 --a------ C:\Documents and Settings\All Users\Application Data\opongjel.dll
2008-03-27 14:07:02 131072 --a------ C:\WINDOWS\system32\fomefhfr.dll
2008-03-27 13:26:46 0 d-------- C:\Program Files\AvantGo Connect
2008-03-27 13:25:58 65613 --a------ C:\WINDOWS\system32\ppvexp.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:57 24652 --a------ C:\WINDOWS\system32\uicom.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 65615 --a------ C:\WINDOWS\system32\pmailext.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 57423 --a------ C:\WINDOWS\system32\MsgStRPC.dll <Not Verified; Microsoft Corporation; Microsoft Pocket Office>
2008-03-27 13:25:57 114688 --a------ C:\WINDOWS\system32\malslib.dll <Not Verified; AvantGo, Inc.; AvantGo Connect>
2008-03-27 13:25:56 77899 --a------ C:\WINDOWS\system32\rapi.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 36942 --a------ C:\WINDOWS\system32\ppcload.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 13:25:56 24653 --a------ C:\WINDOWS\system32\ceutil.dll <Not Verified; Microsoft Corporation; Microsoft ActiveSync>
2008-03-27 12:32:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 11:30:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-26 15:21:26 0 d-------- C:\Documents and Settings\cfgeca\.housecall6.6
2008-03-26 11:52:43 102400 --a------ C:\WINDOWS\system32\xmecaqxv.dll
2008-03-26 11:52:43 102400 --a------ C:\Documents and Settings\All Users\Application Data\adgjofcr.dll
2008-03-26 11:21:05 25600 --a------ C:\WINDOWS\system32\winfiz32.dll
2008-03-19 11:01:32 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Datalayer
2008-03-17 12:57:48 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-17 12:57:17 0 d-------- C:\Program Files\Real
2008-03-17 12:57:12 0 d-------- C:\Program Files\Common Files\Real
2008-03-17 12:57:11 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Real
2008-03-03 10:33:46 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite


-- Find3M Report ---------------------------------------------------------------

2008-04-03 11:47:12 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-03-31 12:43:29 0 d-------- C:\Program Files\Trend Micro
2008-03-27 14:21:05 0 d-------- C:\Program Files\Common Files
2008-03-27 14:21:01 0 d-------- C:\Program Files\Lavasoft
2008-03-27 13:26:48 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-25 12:30:37 0 d-------- C:\Documents and Settings\cfgeca\Application Data\AdobeUM
2008-03-06 11:56:55 0 d-------- C:\Documents and Settings\cfgeca\Application Data\PC Suite
2008-03-06 11:38:13 0 d-------- C:\Documents and Settings\cfgeca\Application Data\Nokia
2008-03-02 13:00:15 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-02 13:00:13 0 d-------- C:\Program Files\Nokia
2008-03-02 13:00:13 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-02 12:59:48 0 d-------- C:\Program Files\DIFX
2008-03-02 12:59:30 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-02 12:58:16 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17ba884e-9855-4e74-b8e0-4b38e31252f7}]
03/04/2008 10:05 89152 --a------ C:\WINDOWS\system32\gmrrtxrj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{220A45A7-10F0-4732-A847-007B23FA957D}]
01/04/2008 12:37 268288 --a------ C:\WINDOWS\system32\mlJCUMGA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94BC3D1D-22E9-4744-8ED1-3E08A3B74078}]
01/04/2008 09:32 40448 --a------ C:\WINDOWS\system32\ssqQJCrp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [23/08/2007 11:09]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/08/2007 10:51]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/08/2007 11:16]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [23/08/2007 11:09]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [23/08/2007 11:09]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 08:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 01:01]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [04/08/2004 05:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 05:00 C:\WINDOWS\system32\bthprops.cpl]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 18:17]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [06/08/2005 19:45]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [29/03/2007 08:10]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [28/11/2006 15:12]
"a8dc03c1"="C:\WINDOWS\system32\kmyrgsrt.dll" [03/04/2008 10:08]
"BMabef305d"="C:\WINDOWS\system32\tsvyahxb.dll" [03/04/2008 10:01]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 01:19:50]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [16/08/2004 19:52:22]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [08/08/2005 10:55:22]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [03/02/2000 01:11:00]
ZyWALL VPN Client.lnk - C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe [14/12/2006 15:49:16
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok go ahead and run ComboFix there
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP