Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

AV websites blocked and search engines hijacked [RESOLVED]

Started by SchoolWorker , May 26 2008 11:28 AM

This topic is locked

#1
SchoolWorker

Posted 26 May 2008 - 11:28 AM

Member

Member
18 posts

I became infected with Vundo trojan on 5/3/2008 and a bunch of spyware and adware hopped on, too. I have PC-cillin Internet Security 14 antivirus software and I started running the common anti-malware programs but couldn't get rid of the infections. After 10 days, a bunch of websites stopped loading (but my internet connection still works).

CURRENT PROBLEMS:
--Important websites are blocked (all large antivirus companies, the Microsoft WindowsUpdate website, Java update websites, my bank's website.
--Search engines produce a results list, but clicking on any result takes me to a hijacked website of ads.

I tried these products:
-->Housecall.
-->System Cleaner (by TrendMicro).
-->PC-cillin virus/spyware scans.
-->Disk Cleanup.
-->Hijack This.
-->Unlocker -- It allowed me to delete the vundo file that had been "in use".
-->VundoFix.exe got the rest of the vundo (I think).
-->SpyBot S&D to get rid of Virtumonde & other ad/spyware.

BUT the important websites are STILL blocked, which makes it impossible to download Windows Updates or other antivirus stuff now, and the search engines are STILL hijacked. There are still remants of trojan floating around too.
For example, HijackThis doesn't delete this entry in my log:
024 - Desktop Component (0).
And SystemCleaner always fails on the rootkit scan.

I checked the HOSTS file in C:/Windows/system32/drivers/etc/ thinking it was rerouting some URLs. The HOSTS file looked fine, but I replaced it anyway but still the important websites are blocked and search engines are hijacked.

Does anyone recognize this webpage-loading problem? If I can't update my Java and Windows and virus pattern files soon, I'll be right back where I started with a monster malware infection. Been fighting this for 24 days and losing hope.

Please see my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:58 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O1 - Hosts: Disclaimer: this file is free to use for personal use #
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - (no file)

Edited by SchoolWorker, 26 May 2008 - 02:40 PM.

#2
Rorschach112

Posted 26 May 2008 - 06:19 PM

Ralphie

Retired Staff
47,710 posts

Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#3
SchoolWorker

Posted 27 May 2008 - 04:07 PM

Member

Topic Starter
Member
18 posts

Thank you for your willingness to help! I ran SDFix and here is the report.txt :

SDFix: Version 1.186
Run by Mindy on Tue 05/27/2008 at 01:00 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :
C:\WINDOWS\winself.exe service

MsSecurity1.209.4 - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\Words\list.txt - Deleted
C:\Program Files\Words\script.txt - Deleted
C:\WINDOWS\system32\000060.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\bjam.dll - Deleted
C:\WINDOWS\bokja.exe - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\mssvr.exe - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted

Folder C:\Program Files\Insider - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\Words - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\fse - Removed
Folder C:\WINDOWS\system32\f02WtR - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 01:09:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="7"
"subid"="run02"
"control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09,4b,1a,09,50,11,e5,f5
"prov"="10010"
"googleadserver"="pagead2.googlesyndication.com"
"flagged"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"RefCount"=dword:00000002

scanning hidden files ...

C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbdll.dll 49152 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 10

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 10 Aug 2004 94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Tue 10 Aug 2004 50,688 ..SH. --- "C:\WINDOWS\twain_32.dll"
Tue 31 Jan 2006 145,920 ..SHR --- "C:\Program Files\PhoTagsExpress\Setup.exe"
Wed 9 Mar 2005 39,936 A.SHR --- "C:\Program Files\PhoTagsExpress\_Setupx.dll"
Sun 6 Aug 2006 88 ..SHR --- "C:\WINDOWS\system32\3A7D0117E6.sys"
Sat 5 May 2007 56 ..SHR --- "C:\WINDOWS\system32\E617017D3A.sys"
Sat 5 May 2007 6,580 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 10 Aug 2004 1,028,096 ..SH. --- "C:\WINDOWS\system32\mfc42.dll"
Tue 10 Aug 2004 54,784 ..SH. --- "C:\WINDOWS\system32\msvcirt.dll"
Tue 10 Aug 2004 413,696 ..SH. --- "C:\WINDOWS\system32\msvcp60.dll"
Tue 4 Dec 2007 550,912 ..SH. --- "C:\WINDOWS\system32\oleaut32.dll"
Tue 10 Aug 2004 83,456 ..SH. --- "C:\WINDOWS\system32\olepro32.dll"
Tue 10 Aug 2004 11,776 ..SH. --- "C:\WINDOWS\system32\regsvr32.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe"
Fri 21 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT1E.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2C.tmp"
Tue 17 Dec 2002 28,160 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL0005.tmp"
Tue 17 Dec 2002 28,160 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL0173.tmp"
Tue 17 Dec 2002 30,720 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL1707.tmp"
Tue 17 Dec 2002 30,720 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL2677.tmp"
Tue 17 Dec 2002 26,624 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL2695.tmp"
Tue 17 Dec 2002 29,696 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL2861.tmp"
Tue 17 Dec 2002 30,208 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL3428.tmp"
Tue 17 Dec 2002 27,648 A..H. --- "C:\Documents and Settings\Mindy\My Documents\fromOtherPC\GIS\UMarcView1\assignments\~WRL3437.tmp"

Finished!

#4
SchoolWorker

Posted 27 May 2008 - 04:10 PM

Member

Topic Starter
Member
18 posts

Also, I ran DDS and here are the results of main.txt :

Deckard's System Scanner v20071014.68
Run by Mindy on 2008-05-27 01:23:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
5: 2008-05-27 05:23:38 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-05-25 22:12:45 UTC - RP4 - Installed Adobe Reader 7.1.0
3: 2008-05-25 07:00:40 UTC - RP3 - Software Distribution Service 3.0
2: 2008-05-22 15:38:15 UTC - RP2 - System Checkpoint
1: 2008-05-17 03:29:37 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Mindy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:56 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mindy\Desktop\DeckardsSystemScanner.exe
C:\PROGRA~1\HIJACK~1\Mindy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quote.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5567 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080512-220410-684 O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
backup-20080514-023742-177 O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 Technologies 3D Room Planner) - http://bestbuy.mvm.c...yerAX_Win32.cab
backup-20080514-023742-392 O4 - HKLM\..\Run: [BM978c092d] Rundll32.exe "C:\WINDOWS\system32\grfsdkwp.dll",s
backup-20080514-023742-612 O4 - HKLM\..\Run: [94bf3ab1] rundll32.exe "C:\WINDOWS\system32\mqcywjyv.dll",b
backup-20080514-023742-695 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE54C29159A7DBE80DC744B6CDE3F546CAC59B6
backup-20080514-023743-660 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080514-023852-804 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080514-024025-968 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080516-210719-556 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
backup-20080516-235211-292 O24 - Desktop Component 0: (no name) - (no file)
backup-20080516-235211-512 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080516-235211-595 O4 - HKLM\..\Run: [{75b4086e-464b-7af1-2a25-41ea92e3d567}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit
backup-20080516-235245-679 O24 - Desktop Component 0: (no name) - (no file)
backup-20080516-235245-857 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080517-001009-105 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080517-001010-758 O24 - Desktop Component 0: (no name) - (no file)
backup-20080517-192502-205 O24 - Desktop Component 0: (no name) - (no file)
backup-20080517-192502-226 O4 - HKLM\..\Run: [{75b4086e-464b-7af1-2a25-41ea92e3d567}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit
backup-20080517-192502-425 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080518-215408-214 O24 - Desktop Component 0: (no name) - (no file)
backup-20080518-215408-434 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080518-215408-454 O4 - HKLM\..\Run: [{75b4086e-464b-7af1-2a25-41ea92e3d567}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit
backup-20080522-002112-147 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080522-002112-599 O24 - Desktop Component 0: (no name) - (no file)
backup-20080522-002205-375 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080522-002205-771 O24 - Desktop Component 0: (no name) - (no file)
backup-20080524-235821-105 O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
backup-20080524-235821-135 O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
backup-20080524-235821-223 O4 - HKLM\..\Run: [{75b4086e-464b-7af1-2a25-41ea92e3d567}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit
backup-20080524-235821-268 O2 - BHO: (no name) - {9BD91E8B-54A2-49C4-8663-78441FA3D5D7} - (no file)
backup-20080524-235821-289 O2 - BHO: (no name) - {8E765AA0-AD0D-43F9-94C2-4436BCEE9135} - C:\WINDOWS\system32\tuvSMCsR.dll (file missing)
backup-20080524-235821-328 O2 - BHO: (no name) - {7C5E650A-A8BE-4905-9577-678019D84836} - C:\WINDOWS\system32\hgGvssPJ.dll (file missing)
backup-20080524-235821-335 O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
backup-20080524-235821-343 O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
backup-20080524-235821-409 O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
backup-20080524-235821-490 O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20080524-235821-607 O2 - BHO: (no name) - {C100CAFF-F206-4E48-BE7A-3E6759C87B69} - C:\WINDOWS\system32\awtsPJCS.dll (file missing)
backup-20080524-235821-608 O2 - BHO: (no name) - {EA56FF57-D7D2-4381-938E-8CC5688E77AB} - C:\WINDOWS\system32\iifeeEVp.dll (file missing)
backup-20080524-235821-637 O2 - BHO: (no name) - {351714C1-2644-4294-AEC1-C1335759AB18} - (no file)
backup-20080524-235821-644 O20 - Winlogon Notify: xxyvuusR - xxyvuusR.dll (file missing)
backup-20080524-235821-669 O2 - BHO: (no name) - {3B9911E6-004F-44B6-8876-41C55327FBA4} - C:\WINDOWS\system32\khfDsrsS.dll (file missing)
backup-20080524-235821-773 O2 - BHO: (no name) - {8CA25AAA-0C23-405B-8659-EC2CA1E9F6BB} - (no file)
backup-20080524-235821-785 O4 - HKLM\..\Run: [94bf3ab1] rundll32.exe "C:\WINDOWS\system32\gnyqyqla.dll",b
backup-20080524-235821-819 O2 - BHO: (no name) - {8446934C-C4E8-41C7-8A8A-8018598B90FC} - C:\WINDOWS\system32\geBuuuVl.dll (file missing)
backup-20080524-235821-843 O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
backup-20080524-235821-846 O2 - BHO: (no name) - {396F834C-7B1D-41C0-BB9A-23C2871EDCC9} - C:\WINDOWS\system32\nnnoMcbA.dll (file missing)
backup-20080524-235821-857 O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
backup-20080524-235821-877 O2 - BHO: (no name) - {E6581958-B13F-4B3A-AA7F-6000A3411C5F} - C:\WINDOWS\system32\urqNDTLb.dll (file missing)
backup-20080524-235821-894 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080524-235821-932 O24 - Desktop Component 0: (no name) - (no file)
backup-20080524-235821-933 O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
backup-20080524-235821-936 O2 - BHO: (no name) - {3FF5C030-F851-4C96-AB5F-DC12F0F15043} - C:\WINDOWS\system32\hgGywTLc.dll (file missing)
backup-20080524-235821-997 O2 - BHO: (no name) - {B3102264-D09D-4322-B625-503FBF18DD7E} - C:\WINDOWS\system32\xxyvuusR.dll (file missing)
backup-20080525-000002-142 O4 - HKLM\..\Run: [BM978c092d] Rundll32.exe "C:\WINDOWS\system32\sfpsblkg.dll",s
backup-20080525-000002-204 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080525-000002-488 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-011735-771 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-011735-992 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080525-024049-229 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
backup-20080525-024049-404 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-024049-610 O4 - HKLM\..\Run: [{75b4086e-464b-7af1-2a25-41ea92e3d567}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit
backup-20080525-024232-411 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-024232-589 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
backup-20080525-031009-217 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
backup-20080525-031009-381 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-184239-214 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-184239-570 O4 - HKLM\..\Run: [{75b4086e-464b-7af1-2a25-41ea92e3d567}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit
backup-20080525-184239-748 O2 - BHO: gooochi browser optimizer - {e9e9f2b9-b2bd-6c20-9bc5-482bce81f5e3} - C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll
backup-20080525-184239-819 O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
backup-20080525-191315-950 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-193223-480 O2 - BHO: {7a901220-111b-2768-7bd4-ad76f1039918} - {8199301f-67da-4db7-8672-b111022109a7} - C:\WINDOWS\system32\itsaqopw.dll (file missing)
backup-20080525-193408-574 O24 - Desktop Component 0: (no name) - (no file)
backup-20080525-195221-382 O24 - Desktop Component 0: (no name) - (no file)
backup-20080527-001728-303 O24 - Desktop Component 0: (no name) - (no file)
backup-20080527-003416-842 O24 - Desktop Component 0: (no name) - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R1 sscdbhk5 - c:\windows\system32\drivers\sscdbhk5.sys <Not Verified; VERITAS Software, Inc.; >
R1 ssrtln - c:\windows\system32\drivers\ssrtln.sys <Not Verified; VERITAS Software, Inc.; >
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 drvnddm - c:\windows\system32\drivers\drvnddm.sys <Not Verified; VERITAS Software, Inc.; >
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R2 tfsnboio - c:\windows\system32\dla\tfsnboio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsncofs - c:\windows\system32\dla\tfsncofs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndrct - c:\windows\system32\dla\tfsndrct.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsndres - c:\windows\system32\dla\tfsndres.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnifs - c:\windows\system32\dla\tfsnifs.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnopio - c:\windows\system32\dla\tfsnopio.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnpool - c:\windows\system32\dla\tfsnpool.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudf - c:\windows\system32\dla\tfsnudf.sys <Not Verified; VERITAS Software, Inc.; >
R2 tfsnudfa - c:\windows\system32\dla\tfsnudfa.sys <Not Verified; VERITAS Software, Inc.; >
R3 catchme - c:\docume~1\mindy\locals~1\temp\catchme.sys (file missing)

S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-27 00:54:47 0 d-------- C:\WINDOWS\ERUNT
2008-05-25 23:48:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-25 23:07:48 0 d-------- C:\Program Files\Spybot
2008-05-25 18:13:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-05-24 16:18:14 2624 --a------ C:\WINDOWS\system32\dgxrrmpe.exe
2008-05-24 15:59:30 0 d-------- C:\Documents and Settings\Mindy\Application Data\Desktopicon
2008-05-24 00:02:16 2624 --a------ C:\WINDOWS\system32\qktnsxxt.exe
2008-05-23 22:13:54 2624 --a------ C:\WINDOWS\system32\naviussx.exe
2008-05-23 20:24:41 2624 --a------ C:\WINDOWS\system32\ksaphepn.exe
2008-05-23 19:20:06 2624 --a------ C:\WINDOWS\system32\dlmtyuks.exe
2008-05-22 23:16:58 2624 --a------ C:\WINDOWS\system32\pufxxldr.exe
2008-05-21 23:26:32 2624 --a------ C:\WINDOWS\system32\jveqmrff.exe
2008-05-21 22:33:46 2624 --a------ C:\WINDOWS\system32\pshktmtw.exe
2008-05-21 17:18:39 0 d-------- C:\VundoFix
2008-05-20 23:01:47 2624 --a------ C:\WINDOWS\system32\fbvdgawd.exe
2008-05-19 20:53:57 2624 --a------ C:\WINDOWS\system32\vbdmeqro.exe
2008-05-19 16:43:23 0 d-------- C:\SIC_TrendMicroDiagnostic
2008-05-18 20:49:47 2112 --a------ C:\WINDOWS\system32\sqtxgnch.exe
2008-05-18 20:48:58 3648 --a------ C:\WINDOWS\system32\mgfcsjsg.dll
2008-05-17 20:36:51 2112 --a------ C:\WINDOWS\system32\huqvdthg.exe
2008-05-17 20:27:51 3648 --a------ C:\WINDOWS\system32\xxjpranf.dll
2008-05-16 20:31:20 2112 --a------ C:\WINDOWS\system32\hntkvvma.exe
2008-05-16 20:25:20 3648 --a------ C:\WINDOWS\system32\uoshguxy.dll
2008-05-14 22:29:55 2112 --a------ C:\WINDOWS\system32\yywfaqjr.exe
2008-05-14 22:23:59 3648 --a------ C:\WINDOWS\system32\gjfidxuh.dll
2008-05-13 18:39:09 2112 --a------ C:\WINDOWS\system32\jausoatn.exe
2008-05-13 07:38:36 3648 --a------ C:\WINDOWS\system32\flkfpptt.dll
2008-05-12 22:11:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-05-12 07:38:07 2112 --a------ C:\WINDOWS\system32\mkxqfkvd.exe
2008-05-11 01:05:34 0 d-------- C:\Documents and Settings\Mindy\.housecall6.6
2008-05-10 00:13:52 2112 --a------ C:\WINDOWS\system32\pshjrhxb.exe
2008-05-09 00:05:58 2112 --a------ C:\WINDOWS\system32\facrkghr.exe
2008-05-08 00:50:27 2048 --a------ C:\WINDOWS\system32\vilwrdpb.exe
2008-05-08 00:45:16 105984 --a------ C:\WINDOWS\system32\fsmfvnfp.dll
2008-05-08 00:44:22 1040561 --ahs---- C:\WINDOWS\system32\XwabLRqr.ini2
2008-05-07 00:22:48 2112 --a------ C:\WINDOWS\system32\gfbtgjaa.exe
2008-05-07 00:19:33 417933 --ahs---- C:\WINDOWS\system32\tAHOonmp.ini2
2008-05-06 23:16:26 10752 --a------ C:\WINDOWS\DCEBoot.exe
2008-05-05 12:25:18 329728 --a------ C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll
2008-05-04 05:26:41 416115 --ahs---- C:\WINDOWS\system32\bIiSCJjl.ini2
2008-05-03 22:00:06 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-03 21:59:59 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-03 21:59:57 87979 --a------ C:\WINDOWS\lfn.exe <Not Verified; Microsoft; XML Media>
2008-05-02 22:26:02 400023 --a------ C:\Documents and Settings\Mindy\g50.exe
2008-05-01 18:44:50 298306 --a------ C:\Documents and Settings\Mindy\gside.exe
2008-04-28 07:51:15 0 d-------- C:\Documents and Settings\NetworkService\Start Menu

-- Find3M Report ---------------------------------------------------------------

2008-05-26 00:32:14 0 d-------- C:\Program Files\Common Files
2008-05-25 18:13:04 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-25 18:11:41 0 d-------- C:\Documents and Settings\Mindy\Application Data\AdobeUM
2008-05-18 21:50:42 0 d-------- C:\Program Files\Google
2008-05-04 02:06:13 0 d-------- C:\Program Files\WildTangent
2008-05-04 00:02:40 0 d-------- C:\Program Files\Common Files\AOL
2008-05-03 21:51:35 79072 --a------ C:\Documents and Settings\Mindy\Application Data\GDIPFONTCACHEV1.DAT
2008-05-03 20:23:09 17177 --a------ C:\WINDOWS\system32\nvModes.dat
2008-04-05 02:44:09 935 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-03-12 07:58:14 200766 --a------ C:\WINDOWS\system32\kwinnldo.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [12/15/2006 08:51 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/14/2005 01:08 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/13/2006 04:20 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 05:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGvssPJ

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photags AutoDetect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photags AutoDetect.lnk
backup=C:\WINDOWS\pss\Photags AutoDetect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mindy^Start Menu^Programs^Startup^Connection Manager.lnk]
path=C:\Documents and Settings\Mindy\Start Menu\Programs\Startup\Connection Manager.lnk
backup=C:\WINDOWS\pss\Connection Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mindy^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Mindy\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mindy^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Mindy\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\94bf3ab1]
rundll32.exe "C:\WINDOWS\system32\pcuijhrm.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM978c092d]
Rundll32.exe "C:\WINDOWS\system32\jcoxvaxq.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\kwinnldo.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\horykyf]
C:\Program Files\Windows Media Player\horykyf22011.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
"C:\PROGRA~1\COMMON~1\ASEMBL~1\fast.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{75b4086e-464b-7af1-2a25-41ea92e3d567}]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll" DllInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F3-3A-A1-1E-ZN}]
C:\WINDOWS\system32\kmdsrngj.exe CHD003

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

-- End of Deckard's System Scanner: finished at 2008-05-27 01:25:25 ------------

#5
SchoolWorker

Posted 27 May 2008 - 04:14 PM

Member

Topic Starter
Member
18 posts

Lastly, here are the results of DSS extra.txt :
(Sorry it took me so long to respond but my computer won't load those programs, because the trojan blocks all antivirus websites. So I had to find other computers to download from). I still have the same symptoms: websites blocked and search engine results are hijacked. Do any of these logs give you any ideas of how to proceed?

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 2.00GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 1023.4 MiB / 441.44 MiB
Pagefile Memory (total/avail): 2460.43 MiB / 1950.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.01 MiB

C: is Fixed (NTFS) - 55.83 GiB total, 8.46 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS721060G9AT00 - 55.89 GiB - 2 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 55.83 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: PC-cillin Internet Security - Firewall v14 (Trend Micro, Inc.)
AV: PC-cillin Internet Security - Virus Protection v14.60.1198 (Trend Micro, Inc.) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mindy\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=M170LAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mindy
LOGONSERVER=\\M170LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mindy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mindy\LOCALS~1\Temp
USERDOMAIN=M170LAPTOP
USERNAME=Mindy
USERPROFILE=C:\Documents and Settings\Mindy
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI

-- User Profiles ---------------------------------------------------------------

Mindy (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{95D9B4D8-B091-4fab-80EA-313EB4B82FD6}
--> MsiExec.exe /I{EB997E90-5EB0-4eb5-90D0-90B1D2F0CA03}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe PhotoDeluxe Home Edition 4.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\PhotoDeluxe Home Edition 4.0\Uninst.isu"
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Arc Hydro Tools --> C:\PROGRA~1\ESRI\ArcHydro\UNWISE.EXE C:\PROGRA~1\ESRI\ArcHydro\INSTALL.LOG
ArcGIS Desktop --> MsiExec.exe /I{40F8FD5F-4701-48D6-A8FC-1F188007DF38}
ArcGIS Tutorial Data --> MsiExec.exe /I{E0CA85B5-113A-4E76-A018-6D7ECE65767D}
ArcView 3D Analyst --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\arcview\DeIsL4.isu
ArcView GIS 3.2 --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\ARCVIEW\DeIsL2.isu
ArcView GIS Version 3.1 --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\ARCVIEW\DeIsL1.isu
ArcView Image Analysis --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\arcview\DeIsL5.isu
ArcView Spatial Analyst --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\arcview\DeIsL3.isu
Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{64A77F14-0E08-4A97-A859-E93CFF428756} /l1033
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
Crystal Reports for ESRI --> MsiExec.exe /I{7505DE9C-4E85-4636-82F0-50F38077B900}
Dell CinePlayer --> MsiExec.exe /I{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Game Console --> "C:\Program Files\WildTangent\Apps\Dell Game Console\Uninstall.exe"
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
DNRGarmin --> MsiExec.exe /I{6509815E-F16B-4804-B9B3-86DAC560BA43}
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
ELIcon --> MsiExec.exe /I{4667B940-BB01-428B-986E-A0CC46497BF7}
Enhancement Browser Tools Gooochi --> C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll-uninst.exe
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
ESRI Software Documentation Library --> MsiExec.exe /I{0169C189-FB39-4756-B9A3-6B816C52357D}
ET GeoWizards 9.6 --> C:\Program Files\ET GeoWizards 9.6\uninstall.exe
EZMapper9 Installation v2.0 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\OrAoLib_EZMapper\ST6UNST.LOG"
FFI --> MsiExec.exe /I{3DB9E514-DCCF-4EB6-B243-B4086FB37CCC}
FireFamily Plus --> C:\fsapps\fsprod\fam\FIREFA~1\UNWISE.EXE C:\fsapps\fsprod\fam\FIREFA~1\INSTALL.LOG
Free MP3 Converter --> "C:\Program Files\FreeMP3converter\Uninstall.exe" "C:\Program Files\FreeMP3converter\install.log"
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
GPS Pathfinder Office --> C:\Program Files\InstallShield Installation Information\{530BD8A7-349B-45BB-AFA5-B5BCA6321BA1}\setup.exe -runfromtemp -l0x0409
GPS Pathfinder Office --> MsiExec.exe /I{530BD8A7-349B-45BB-AFA5-B5BCA6321BA1}
HijackThis 2.0.2 --> "C:\Documents and Settings\Mindy\Local Settings\Temporary Internet Files\Content.IE5\59K2CZX3\HijackThis.exe" /uninstall
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
MP3 WAV Converter 2.68 --> C:\PROGRA~1\MP3WAV~1\UNWISE.EXE C:\PROGRA~1\MP3WAV~1\INSTALL.LOG
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
Multimedia Xplorer 2 --> C:\Program Files\Multimedia Xplorer 2\Uninstall.exe C:\PROGRA~1\MULTIM~1\Install.log
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Paint Shop Pro Shareware Version 3.12 - 32 Bit --> C:\WINDOWS\UNWISE.EXE C:\PSP\INSTALL.LOG "Paint Shop Pro Shareware 3.12 - 32 bit Uninstall"
PhoTags Express --> C:\PROGRA~1\PHOTAG~1\Setup.exe /remove /q0
Python 2.1 --> C:\Python21\\Python21\UNWISE.EXE C:\Python21\\Python21\INSTALL.LOG
Python 2.1 combined Win32 extensions --> C:\Python21\UNWISE~1.EXE C:\Python21\w32inst.log
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Roxio RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sampling_Tool --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Random_Sample\ST6UNST.LOG"
Search Assist --> MsiExec.exe /X{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}
SnagIt 8 --> MsiExec.exe /I{0AEA9ECE-2AD0-4DF0-932E-F0AC6B771749}
Sonic Activation Module --> MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot\Spybot - Search & Destroy\unins000.exe"
Trend Micro PC-cillin Internet Security 14 --> C:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 14 --> MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Windows Live Mail desktop --> MsiExec.exe /I{1C9F7252-3D80-4516-8055-BE19056A7C0F}
Windows XP Media Center Edition 2005 KB908246 --> "C:\WINDOWS\$NtUninstallKB908246$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB908250 -->
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}

-- Application Event Log -------------------------------------------------------

Event Record #/Type1017 / Warning
Event Submitted/Written: 05/27/2008 01:10:26 AM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type980 / Warning
Event Submitted/Written: 05/27/2008 00:38:14 AM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type940 / Warning
Event Submitted/Written: 05/26/2008 11:35:29 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance SQLEXPRESS is not valid.

Event Record #/Type919 / Error
Event Submitted/Written: 05/26/2008 11:24:41 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 628216832.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type918 / Error
Event Submitted/Written: 05/26/2008 11:24:35 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.2.20, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.
Processing media-specific event for [spybotsd.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type41100 / Error
Event Submitted/Written: 05/27/2008 01:11:30 AM
Event ID/Source: 30013 / ipnathlp
Event Description:
The DHCP allocator has disabled itself on IP address 76.7.33.127,
since the IP address is outside the 192.168.0.0/255.255.255.0 scope
from which addresses are being allocated to DHCP clients.
To enable the DHCP allocator on this IP address,
please change the scope to include the IP address,
or change the IP address to fall within the scope.

Event Record #/Type41078 / Error
Event Submitted/Written: 05/27/2008 00:54:22 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
APPDRV
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
tmtdi

Event Record #/Type41077 / Error
Event Submitted/Written: 05/27/2008 00:54:22 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error:
%%31

Event Record #/Type41076 / Error
Event Submitted/Written: 05/27/2008 00:54:22 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type41075 / Error
Event Submitted/Written: 05/27/2008 00:54:22 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

-- End of Deckard's System Scanner: finished at 2008-05-27 01:25:25 ------------

#6
Rorschach112

Posted 27 May 2008 - 04:16 PM

Ralphie

Retired Staff
47,710 posts

Hello

You have two firewalls, so you need to disable Windows firewall

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click Off (not recommended), and then click OK.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O24 - Desktop Component 0: (no name) - (no file)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbdll.dll 
C:\WINDOWS\system32\clbinit.dll 
C:\WINDOWS\system32\dgxrrmpe.exe
C:\Documents and Settings\Mindy\Application Data\Desktopicon
C:\WINDOWS\system32\qktnsxxt.exe
C:\WINDOWS\system32\naviussx.exe
C:\WINDOWS\system32\ksaphepn.exe
C:\WINDOWS\system32\dlmtyuks.exe
C:\WINDOWS\system32\pufxxldr.exe
C:\WINDOWS\system32\jveqmrff.exe
C:\WINDOWS\system32\pshktmtw.exe
C:\VundoFix
C:\WINDOWS\system32\fbvdgawd.exe
C:\WINDOWS\system32\vbdmeqro.exe
C:\WINDOWS\system32\sqtxgnch.exe
C:\WINDOWS\system32\mgfcsjsg.dll
C:\WINDOWS\system32\huqvdthg.exe
C:\WINDOWS\system32\xxjpranf.dll
C:\WINDOWS\system32\hntkvvma.exe
C:\WINDOWS\system32\uoshguxy.dll
C:\WINDOWS\system32\yywfaqjr.exe
C:\WINDOWS\system32\gjfidxuh.dll
C:\WINDOWS\system32\jausoatn.exe
C:\WINDOWS\system32\flkfpptt.dll
C:\WINDOWS\system32\mkxqfkvd.exe
C:\WINDOWS\system32\pshjrhxb.exe
C:\WINDOWS\system32\facrkghr.exe
C:\WINDOWS\system32\vilwrdpb.exe
C:\WINDOWS\system32\fsmfvnfp.dll
C:\WINDOWS\system32\XwabLRqr.ini2
C:\WINDOWS\system32\gfbtgjaa.exe
C:\WINDOWS\system32\tAHOonmp.ini2
C:\WINDOWS\DCEBoot.exe
C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll
C:\WINDOWS\system32\bIiSCJjl.ini2
C:\Documents and Settings\Mindy\g50.exe
C:\Documents and Settings\Mindy\gside.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\kwinnldo.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mindy^Start Menu^Programs^Startup^Deewoo.lnk
C:\Documents and Settings\Mindy\Start Menu\Programs\Startup\Deewoo.lnk
C:\WINDOWS\pss\Deewoo.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mindy^Start Menu^Programs^Startup^TA_Start.lnk
C:\Documents and Settings\Mindy\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\94bf3ab1
C:\WINDOWS\system32\pcuijhrm.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM978c092d
C:\WINDOWS\system32\jcoxvaxq.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched
C:\WINDOWS\system32\kwinnldo.exe 
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\horykyf
C:\Program Files\Windows Media Player\horykyf22011.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spa_start
C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol
C:\PROGRA~1\COMMON~1\ASEMBL~1\fast.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{75b4086e-464b-7af1-2a25-41ea92e3d567}
C:\WINDOWS\system32\{11c05ee8-f8f2-19d5-ae81-0b5173b380e0}.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{F3-3A-A1-1E-ZN}
C:\WINDOWS\system32\kmdsrngj.exe CHD003
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}
E:\setup.exe
purity 
[start explorer]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot and post a new DSS log

#7
SchoolWorker

Posted 27 May 2008 - 05:10 PM

Member

Topic Starter
Member
18 posts

I have turned off Windows Firewall, but I'm not having good luck with the other instructions.

1) I used "Fix checked" on the 024 - Desktop Component 0, but it keeps showing up.

2) The trojan won't let my PC load the Virustotal website, so I wanted to copy the clbcatq.dll onto a thumb-drive and send it on a computer that CAN connect. But that file doesn't exist on my PC. I found that Uninstall folder, but none of the .dlls inside it are named "clbcatq"
???

3) I put OTMoveIt2.exe on my desktop but it won't run... I double-click it, but nothing happens at all. So I put it in the C:\ProgramFiles, but still nothing happens when I run it.

Also, the Geeks2Go website is being blocked by the trojan, too. I have to get on a different PC to talk to you.

Edited by SchoolWorker, 27 May 2008 - 05:14 PM.

#8
Rorschach112

Posted 27 May 2008 - 05:16 PM

Ralphie

Retired Staff
47,710 posts

Ok lets bring out the big guns

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#9
SchoolWorker

Posted 28 May 2008 - 02:04 PM

Member

Topic Starter
Member
18 posts

I got the file for Windows XP Recovery and I put ComboFix.exe on the desktop but it won't run either. I double-click, but nothing happens. OK, now I am beginning to panic.

Is it possible one of the earlier spyware programs is conflicting with these new tools?
????

#10
Rorschach112

Posted 28 May 2008 - 02:37 PM

Ralphie

Retired Staff
47,710 posts

ComboFix doesn't work when you try it ?

Can you close all security programs, re-download it, and try run it again

If that fails, try it in Safe Mode

#11
SchoolWorker

Posted 28 May 2008 - 03:45 PM

Member

Topic Starter
Member
18 posts

Still no luck. Both firewalls are turned off (Windows and PCcillin). I exited Spybot which seems to run in the system tray at every startup, and turned off PCcillin realtime protection. I deleted the old ComboFix.exe and WindowsRecovery icons and added them again. But when I double-click ComboFix.exe, nothing happens at all. I even let it set 20 minutes. I also rebooted in safe mode, but still nothing happens.

I read that clicking elsewhere after you start ComboFix.exe could cause it to stall, so I was careful not to click anything else after double-clicking it.

I can open other files on the desktop, just not ComboFix.exe (nor OTMoveIt2.exe from yesterday).

#12
Rorschach112

Posted 28 May 2008 - 04:16 PM

Ralphie

Retired Staff
47,710 posts

Hello

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log by using Add/Reply

#13
SchoolWorker

Posted 28 May 2008 - 04:29 PM

Member

Topic Starter
Member
18 posts

I am nervous to try this... the letters keep changing to this:

Files to delete:
C:\WINDOWS\system32\drivers\vmdesched.sys
C:\WINDOWS\system32\cdosys.dll
C:\WINDOWS\system32\clbinit.dll

They change right after the paste. Is that supposed to happen????

#14
Rorschach112

Posted 28 May 2008 - 04:31 PM

Ralphie

Retired Staff
47,710 posts

Leave that for the time being

Do this

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Also post a new DSS log

#15
Rorschach112

Posted 28 May 2008 - 04:34 PM

Ralphie

Retired Staff
47,710 posts

Can you do this as well, delete ComboFix.exe and do the following

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.