Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijackthis Log file - VirusRemover2008 [RESOLVED]

Started by Dang19 , Aug 24 2008 08:48 PM

This topic is locked

#1
Dang19

Posted 24 August 2008 - 08:48 PM

Member

Member
23 posts

First time caller, first time listener. I downloaded a file I shouldn't have

and now I am in big trouble.
The virus has taken over my main administrator profile (windows xp) and I am using another admin profile, but am locked out of many things. I have no IE and am using portable FireFox. I am unable to reformat, CD is unaccessable and the list goes on. I get tons of pop-ups regarding free virus scans (which I clicked on one thinking it was one I had installed

, I am unable to boot off the CD.
Anyway, I'm pretty screwed here and as a last resort I will have to buy a new hard drive and start over. But I thought I'd try one last shot with my HJT log.

Any help would be great:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:56 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\VirusRemover2008\VRM2008.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: rafbsvnx - {2F398AF7-F1A1-4D9E-92E9-36A94898D559} - C:\WINDOWS\rafbsvnx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\Free KGB Key Logger\winlogons.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VirusRemover2008] C:\Program Files\VirusRemover2008\VRM2008.exe
O4 - HKLM\..\Run: [3c388be9] rundll32.exe "C:\WINDOWS\system32\iecgcrhw.dll",b
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107988820193
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/msxml4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O20 - AppInit_DLLs: pwtvjh.dll
O21 - SSODL: tsxngabr - {F5090D44-3C1D-4906-9B2A-63206CA02D48} - C:\WINDOWS\tsxngabr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 10320 bytes

#2
fenzodahl512

Posted 25 August 2008 - 05:30 AM

Malware Removal
9,863 posts

Hello, my name is fenzodahl512 and welcome to Geekstogo.. Don't use code/quote tag in your logs.. Just post them as it is.. Please do the following...

Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.

#3
Dang19

Posted 25 August 2008 - 07:26 PM

Member

Topic Starter
Member
23 posts

Hello Fenzodahl512,

Sorry for the code brackets (nub here). My system is a bit better but I'm still limping along, I can't make attachment (using portable FireFox) so I hope straight paste will work for files....
(I can't begin to thank you for your help!!!)

ComboFix 08-08-24.03 - dan 2008-08-25 18:06:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.189 [GMT -7:00]
Running from: C:\Documents and Settings\dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\dan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects(2)\N8ACCSNQ\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects(2)\N8ACCSNQ\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VQ4KBLWB\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VQ4KBLWB\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@turn[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Administrator\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\All Users\Application Data\Secure Solutions
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
C:\Documents and Settings\dan\Desktop\Error Cleaner.url
C:\Documents and Settings\dan\Desktop\Privacy Protector.url
C:\Documents and Settings\dan\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\dan\Favorites\Error Cleaner.url
C:\Documents and Settings\dan\Favorites\Privacy Protector.url
C:\Documents and Settings\dan\Favorites\Spyware&Malware Protection.url
C:\Program Files\VirusRemover2008
C:\Program Files\VirusRemover2008\Viruses.bdt
C:\Program Files\VirusRemover2008\VRM2008.exe
C:\Program Files\winupdates
C:\WINDOWS\ertl.exe
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rafbsvnx.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\DdKkRXyb.ini
C:\WINDOWS\system32\DdKkRXyb.ini2
C:\WINDOWS\system32\iecgcrhw.dll
C:\WINDOWS\system32\mlJCVoLe.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\pwtvjh.dll
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\skngaxhp.dll
C:\WINDOWS\system32\ssqNHwTl.dll
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\tsxngabr.dll
C:\WINDOWS\twmxbsqrlst.dll
C:\WINDOWS\vtqnxfko.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IPRIP
-------\Service_6to4
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-25 18:01 . 2008-08-25 18:01 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-24 20:33 . 2008-08-24 20:49 <DIR> d-------- C:\Documents and Settings\dan\.housecall6.6
2008-08-24 18:49 . 2008-08-25 17:39 594 --ahs---- C:\WINDOWS\system32\whrcgcei.ini
2008-08-24 14:59 . 2008-08-24 14:59 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Logitech
2008-08-24 14:58 . 2008-08-24 14:58 <DIR> d-------- C:\Documents and Settings\dan\Application Data\TmpRecentIcons
2008-08-24 14:58 . 2008-08-24 14:58 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Sonic
2008-08-24 14:50 . 2008-08-24 14:50 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Ipswitch
2008-08-24 14:40 . 2008-08-25 17:56 <DIR> d-------- C:\Documents and Settings\dan
2008-08-22 22:26 . 2008-08-22 22:26 323,328 --a------ C:\WINDOWS\system32\byXRkKdD.dll
2008-08-22 22:22 . 2008-08-22 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-22 22:20 . 2008-08-22 22:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-08-22 22:20 . 2008-08-22 20:54 86,016 --a------ C:\WINDOWS\tqwolser.exe
2008-08-22 19:51 . 2008-08-22 22:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-21 21:31 . 2008-08-21 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\tinySpell
2008-08-18 18:49 . 2008-08-18 18:49 <DIR> d-------- C:\Program Files\FreeMind
2008-08-18 18:49 . 2008-08-18 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\.freemind
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\Program Files\MSBuild
2008-08-17 20:19 . 2008-08-17 20:20 <DIR> d-------- C:\df8a2e723e3378c879d7787aa2c84c7f
2008-08-17 20:19 . 2008-07-06 05:06 1,676,288 --a------ C:\WINDOWS\system32\xpssvcs.dll
2008-08-17 20:19 . 2008-07-06 05:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-08-17 20:19 . 2008-07-06 03:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-08-17 20:19 . 2008-07-06 05:06 575,488 --a------ C:\WINDOWS\system32\xpsshhdr.dll
2008-08-17 20:19 . 2008-07-06 05:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-08-17 20:19 . 2008-07-06 05:06 117,760 --a------ C:\WINDOWS\system32\prntvpt.dll
2008-08-17 20:19 . 2008-07-06 05:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-08-17 20:12 . 2008-08-17 20:12 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-29 21:10 . 2008-07-29 21:10 493,048 --a------ C:\WINDOWS\system32\evr.dll
2008-07-29 21:10 . 2008-07-29 21:10 73,720 --a------ C:\WINDOWS\system32\dxva2.dll
2008-07-29 21:10 . 2008-07-29 21:10 26,112 --a------ C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-29 20:35 . 2008-07-29 20:35 326,160 --a------ C:\WINDOWS\system32\PresentationHost.exe
2008-07-29 19:59 . 2008-07-29 19:59 781,344 --a------ C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-29 19:59 . 2008-07-29 19:59 161,296 --a------ C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-29 19:59 . 2008-07-29 19:59 105,016 --a------ C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-29 19:59 . 2008-07-29 19:59 43,544 --a------ C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-29 19:24 . 2008-07-29 19:24 622,080 --a------ C:\WINDOWS\system32\icardagt.exe
2008-07-29 19:24 . 2008-07-29 19:24 97,800 --a------ C:\WINDOWS\system32\infocardapi.dll
2008-07-29 19:24 . 2008-07-29 19:24 37,384 --a------ C:\WINDOWS\system32\infocardcpl.cpl
2008-07-29 19:24 . 2008-07-29 19:24 11,264 --a------ C:\WINDOWS\system32\icardres.dll
2008-07-29 05:49 . 2008-07-29 05:49 586,240 --a------ C:\WINDOWS\system32\icardres.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 01:10 8,691,744 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-26 00:56 102,500 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-25 02:20 --------- d-----w C:\Program Files\LimeWire
2008-08-25 00:47 --------- d-----w C:\Program Files\Trend Micro
2008-08-24 20:30 160,256 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-08-24 20:30 1,588,224 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-08-24 20:27 1,588,224 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-08-24 16:43 --------- d-----w C:\Program Files\ewido anti-malware
2008-08-19 01:39 228,864 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-11 00:48 --------- d-----w C:\Program Files\NCH Swift Sound
2008-08-09 16:53 1,452,544 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-08-09 16:52 736,768 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-25 18:16 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2008-07-25 18:16 83,968 ----a-w C:\WINDOWS\system32\mscories.dll
2008-07-25 18:16 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2008-07-25 18:16 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2008-07-25 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NETg
2008-07-21 03:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-21 03:32 --------- d-----w C:\Program Files\Windows Media Connect
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-17 03:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-17 03:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-11 03:36 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-07-11 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-11 03:33 --------- d-----w C:\Program Files\Zone Labs
2008-07-10 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-10 02:15 --------- d-----w C:\Program Files\3ivx
2008-07-09 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 04:40 --------- d-----w C:\Program Files\iTunes
2008-07-06 04:40 --------- d-----w C:\Program Files\iPod
2008-07-06 04:37 --------- d-----w C:\Program Files\QuickTime
2008-07-06 04:37 --------- d-----w C:\Program Files\Bonjour
2008-07-06 04:33 --------- d-----w C:\Program Files\Apple Software Update
2008-07-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 05:29 --------- d-----w C:\Program Files\Google
2008-07-04 05:23 --------- d-----w C:\Program Files\Java
2008-07-04 04:49 --------- d-----w C:\Program Files\Hamachi
2008-07-04 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-07-04 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-04 04:44 --------- d-----w C:\Program Files\iTunes(2)
2008-07-04 04:42 --------- d-----w C:\Program Files\Apple Software Update(2)
2008-07-04 04:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-04 04:41 --------- d-----w C:\Program Files\Yahoo!
2008-07-04 04:41 --------- d-----w C:\Program Files\ClickClean
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-02-17 18:37 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-02-17 18:37 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E18F4F28-E7C1-4EE8-BA68-8F925BDFF57D}]
2008-08-22 22:26 323328 --a------ C:\WINDOWS\system32\byXRkKdD.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 10:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 10:02 126976]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 19:04 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 12:26 606208]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 12:04 180269]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 14:01 28160 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 01:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-12-07 12:27:10 25214]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2006-01-07 16:18:49 299008]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-25 22:40:27 438272]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2006-02-10 22:21:21 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pwtvjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-10 12:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2004-08-12 06:36]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 14:38]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-06-15 11:06]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 15:14]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 11:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{894aaa90-6cfe-11db-b59e-0014a53c0a27}]
\Shell\AutoRun\command - autorun.bat
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{2F398AF7-F1A1-4D9E-92E9-36A94898D559} - C:\WINDOWS\rafbsvnx.dll
HKLM-Run-winlogons.exe - C:\Program Files\Free KGB Key Logger\winlogons.exe
HKLM-Run-VirusRemover2008 - C:\Program Files\VirusRemover2008\VRM2008.exe
HKLM-Run-3c388be9 - C:\WINDOWS\system32\iecgcrhw.dll
HKLM-Run-WheelMouse - Amoumain.exe
MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe
MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-Countdown Pro - C:\Program Files\Countdown Pro 2\Countdown Pro.exe
MSConfigStartUp-HostManager - C:\Program Files\Common Files\AOL\1133845239\EE\AOLHostManager.exe
MSConfigStartUp-Pure Networks Port Magic - C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

- C:\WINDOWS\Downloaded Program Files\smsx.inf
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 18:09:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 18:11:39
ComboFix-quarantined-files.txt 2008-08-26 01:11:21

Pre-Run: 16,069,152,768 bytes free
Post-Run: 16,035,504,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

314 --- E O F --- 2008-08-18 20:32:40

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17, on 2008-08-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://softwarerefer...=...6Ojg5&lid=2
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farme...ctiveX/smsx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107988820193
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farme...iveX/msxml4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - AppInit_DLLs: pwtvjh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9555 bytes

#4
Dang19

Posted 25 August 2008 - 07:29 PM

Member

Topic Starter
Member
23 posts

#5
fenzodahl512

Posted 25 August 2008 - 07:51 PM

Malware Removal
9,863 posts

Please uninstall Viewpoint from your computer..

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://softwarerefer...=...6Ojg5&lid=2
O20 - AppInit_DLLs: pwtvjh.dll

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.

NEXT

1. Please open Notepad

Click Start, then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Viewpoint Manager Service

File::
C:\WINDOWS\system32\whrcgcei.ini
C:\WINDOWS\system32\byXRkKdD.dll
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp

Folder::
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E18F4F28-E7C1-4EE8-BA68-8F925BDFF57D}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{894aaa90-6cfe-11db-b59e-0014a53c0a27}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#6
Dang19

Posted 26 August 2008 - 08:06 PM

Member

Topic Starter
Member
23 posts

I think we're making progress, here is the latest...
All the pop-ups seem to be gone and the general invasion seems to have left. The only thing I have to confirm is if the invasion is still effecting my admin rights as it was (I'll report back on my findings).
Again, thank you very much! I have a million tech questions what has transpired but I will spare you.

ComboFix 08-08-26.02 - Administrator 2008-08-26 18:23:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.199 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\system32\byXRkKdD.dll
C:\WINDOWS\system32\whrcgcei.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VQ4KBLWB\bin.clearspring.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VQ4KBLWB\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB5.tmp
C:\WINDOWS\Internet Logs\xDB6.tmp
C:\WINDOWS\system32\byXRkKdD.dll
C:\WINDOWS\system32\dajhduaa.dll
C:\WINDOWS\system32\DdKkRXyb.ini
C:\WINDOWS\system32\DdKkRXyb.ini2
C:\WINDOWS\system32\gujiiygh.ini
C:\WINDOWS\system32\hgyiijug.dll
C:\WINDOWS\system32\hsowkb.dll
C:\WINDOWS\system32\whrcgcei.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\DdKkRXyb.ini
C:\WINDOWS\system32\DdKkRXyb.ini2
C:\WINDOWS\system32\facpmvdg.dll
C:\WINDOWS\system32\frxpreul.dll
C:\WINDOWS\system32\gdvmpcaf.ini
C:\WINDOWS\system32\qdleeq.dll
C:\WINDOWS\system32\qjapqz.dll
C:\WINDOWS\system32\rvlqowvm.dll
C:\WINDOWS\system32\wxyknnxx.ini
C:\WINDOWS\system32\xxnnkyxw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-24 20:33 . 2008-08-24 20:49 <DIR> d-------- C:\Documents and Settings\dan\.housecall6.6
2008-08-24 14:59 . 2008-08-24 14:59 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Logitech
2008-08-24 14:58 . 2008-08-24 14:58 <DIR> d-------- C:\Documents and Settings\dan\Application Data\TmpRecentIcons
2008-08-24 14:58 . 2008-08-24 14:58 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Sonic
2008-08-24 14:50 . 2008-08-24 14:50 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Ipswitch
2008-08-24 14:40 . 2008-08-25 21:33 <DIR> d-------- C:\Documents and Settings\dan
2008-08-22 22:22 . 2008-08-22 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-22 22:20 . 2008-08-22 20:54 86,016 --a------ C:\WINDOWS\tqwolser.exe
2008-08-22 19:51 . 2008-08-22 22:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-21 21:31 . 2008-08-21 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\tinySpell
2008-08-18 18:49 . 2008-08-18 18:49 <DIR> d-------- C:\Program Files\FreeMind
2008-08-18 18:49 . 2008-08-18 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\.freemind
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\Program Files\MSBuild
2008-08-17 20:19 . 2008-08-17 20:20 <DIR> d-------- C:\df8a2e723e3378c879d7787aa2c84c7f
2008-08-17 20:19 . 2008-07-06 05:06 1,676,288 --a------ C:\WINDOWS\system32\xpssvcs.dll
2008-08-17 20:19 . 2008-07-06 05:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-08-17 20:19 . 2008-07-06 03:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-08-17 20:19 . 2008-07-06 05:06 575,488 --a------ C:\WINDOWS\system32\xpsshhdr.dll
2008-08-17 20:19 . 2008-07-06 05:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-08-17 20:19 . 2008-07-06 05:06 117,760 --a------ C:\WINDOWS\system32\prntvpt.dll
2008-08-17 20:19 . 2008-07-06 05:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-08-17 20:12 . 2008-08-17 20:12 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-29 21:10 . 2008-07-29 21:10 493,048 --a------ C:\WINDOWS\system32\evr.dll
2008-07-29 21:10 . 2008-07-29 21:10 73,720 --a------ C:\WINDOWS\system32\dxva2.dll
2008-07-29 21:10 . 2008-07-29 21:10 26,112 --a------ C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-29 20:35 . 2008-07-29 20:35 326,160 --a------ C:\WINDOWS\system32\PresentationHost.exe
2008-07-29 19:59 . 2008-07-29 19:59 781,344 --a------ C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-29 19:59 . 2008-07-29 19:59 161,296 --a------ C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-29 19:59 . 2008-07-29 19:59 105,016 --a------ C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-29 19:59 . 2008-07-29 19:59 43,544 --a------ C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-29 19:24 . 2008-07-29 19:24 622,080 --a------ C:\WINDOWS\system32\icardagt.exe
2008-07-29 19:24 . 2008-07-29 19:24 97,800 --a------ C:\WINDOWS\system32\infocardapi.dll
2008-07-29 19:24 . 2008-07-29 19:24 37,384 --a------ C:\WINDOWS\system32\infocardcpl.cpl
2008-07-29 19:24 . 2008-07-29 19:24 11,264 --a------ C:\WINDOWS\system32\icardres.dll
2008-07-29 05:49 . 2008-07-29 05:49 586,240 --a------ C:\WINDOWS\system32\icardres.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 01:49 8,790,048 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-27 01:46 1,837,962 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-27 01:45 104,012 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-25 02:20 --------- d-----w C:\Program Files\LimeWire
2008-08-25 00:47 --------- d-----w C:\Program Files\Trend Micro
2008-08-24 16:43 --------- d-----w C:\Program Files\ewido anti-malware
2008-08-11 00:48 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-25 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NETg
2008-07-21 03:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-21 03:32 --------- d-----w C:\Program Files\Windows Media Connect
2008-07-17 03:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-17 03:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-11 03:36 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-07-11 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-11 03:33 --------- d-----w C:\Program Files\Zone Labs
2008-07-10 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-10 02:15 --------- d-----w C:\Program Files\3ivx
2008-07-09 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-06 04:40 --------- d-----w C:\Program Files\iTunes
2008-07-06 04:40 --------- d-----w C:\Program Files\iPod
2008-07-06 04:37 --------- d-----w C:\Program Files\QuickTime
2008-07-06 04:37 --------- d-----w C:\Program Files\Bonjour
2008-07-06 04:33 --------- d-----w C:\Program Files\Apple Software Update
2008-07-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 05:29 --------- d-----w C:\Program Files\Google
2008-07-04 05:23 --------- d-----w C:\Program Files\Java
2008-07-04 04:49 --------- d-----w C:\Program Files\Hamachi
2008-07-04 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-07-04 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-04 04:44 --------- d-----w C:\Program Files\iTunes(2)
2008-07-04 04:42 --------- d-----w C:\Program Files\Apple Software Update(2)
2008-07-04 04:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-04 04:41 --------- d-----w C:\Program Files\Yahoo!
2008-07-04 04:41 --------- d-----w C:\Program Files\ClickClean
2008-02-17 18:37 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-02-17 18:37 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-25_18.10.55.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-31 02:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-19 05:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2002-03-20 00:30:00 177,152 ----a-w C:\WINDOWS\system32\tweakui.exe
- 2007-07-31 02:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2008-07-19 05:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
- 2007-07-31 02:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2008-07-19 05:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2008-08-27 01:46:25 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-12-20 13:17 15360]
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 09:05 1896448]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 10:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 10:02 126976]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 19:04 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 12:26 606208]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 12:04 180269]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"3c388be9"="C:\WINDOWS\system32\hgyiijug.dll" [BU]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 14:01 28160 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 01:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-12-07 12:27:10 25214]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2006-01-07 16:18:49 299008]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-25 22:40:27 438272]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2006-02-10 22:21:21 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pwtvjh.dll qdleeq.dll qjapqz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-10 12:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2004-08-12 06:36]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-06-15 11:06]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 15:14]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 11:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fffc190-b318-11dc-b958-0014a53c0a27}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f6a15d2-fe64-11da-b447-0014a53c0a27}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb94ad6-7b96-11d9-9357-000f1fa81026}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e98de863-b31d-11dc-b959-0014a53c0a27}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tinySpell - E:\tinySpell\tinyspell.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 18:47:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-26 18:52:44 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-27 01:52:37
ComboFix2.txt 2008-08-26 01:11:40

Pre-Run: 19,455,348,736 bytes free
Post-Run: 19,426,983,936 bytes free

311 --- E O F --- 2008-08-18 20:32:40

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [3c388be9] rundll32.exe "C:\WINDOWS\system32\hgyiijug.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O15 - Trusted Zone: http://www.dell.com
O15 - Trusted Zone: http://*.figfederal.com
O15 - Trusted Zone: http://www.foremostfarmers.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farme...ctiveX/smsx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107988820193
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farme...iveX/msxml4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - AppInit_DLLs: pwtvjh.dll qdleeq.dll qjapqz.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10501 bytes

#7
fenzodahl512

Posted 26 August 2008 - 08:40 PM

Malware Removal
9,863 posts

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [3c388be9] rundll32.exe "C:\WINDOWS\system32\hgyiijug.dll",b
O20 - AppInit_DLLs: pwtvjh.dll qdleeq.dll qjapqz.dll

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.

NEXT

Please delete this file manually C:\WINDOWS\tqwolser.exe

Then, Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Then run ComboFix again (just double-click it).. Post these logs in your next reply.. Each log in separate post..

1. Malwarebytes'
2. ComboFix
3. A fresh HijackThis (after running ComboFix)
4. Tell me about your computer now..

Edited by fenzodahl512, 26 August 2008 - 08:42 PM.

#8
Dang19

Posted 27 August 2008 - 09:52 PM

Member

Topic Starter
Member
23 posts

MBam Aug 27

Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 5.1.2600 Service Pack 2

8:32:38 PM 8/27/2008
mbam-log-08-27-2008 (20-32-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 133130
Time elapsed: 45 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rafbsvnx.bwlt (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Program Files\VirusRemover2008\VRM2008.exe.vir (Rogue.AntiSpywareExpert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\ertl.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\byXRkKdD.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dajhduaa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\facpmvdg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\frxpreul.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hgyiijug.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hsowkb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iecgcrhw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlJCVoLe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pwtvjh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qdleeq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qjapqz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rvlqowvm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\skngaxhp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqNHwTl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxnnkyxw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146048.exe (Rogue.AntiSpywareExpert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146061.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146063.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146064.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146065.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146066.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP388\A0146062.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP391\A0146310.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP391\A0146311.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP391\A0146312.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP393\A0147428.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP393\A0147433.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP393\A0147434.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{629C3670-142C-47DA-A749-60304B5247AA}\RP393\A0147432.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk (Rogue.VirusRemove) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#9
Dang19

Posted 27 August 2008 - 09:54 PM

Member

Topic Starter
Member
23 posts

Aug 27 ComboFix

ComboFix 08-08-27.03 - Administrator 2008-08-27 20:38:26.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.122 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-27 18:36 . 2008-08-27 18:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 18:36 . 2008-08-27 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 18:36 . 2008-08-27 18:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-27 18:36 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 18:36 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-24 20:33 . 2008-08-24 20:49 <DIR> d-------- C:\Documents and Settings\dan\.housecall6.6
2008-08-24 14:59 . 2008-08-24 14:59 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Logitech
2008-08-24 14:58 . 2008-08-24 14:58 <DIR> d-------- C:\Documents and Settings\dan\Application Data\TmpRecentIcons
2008-08-24 14:58 . 2008-08-24 14:58 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Sonic
2008-08-24 14:50 . 2008-08-24 14:50 <DIR> d-------- C:\Documents and Settings\dan\Application Data\Ipswitch
2008-08-24 14:40 . 2008-08-25 21:33 <DIR> d-------- C:\Documents and Settings\dan
2008-08-22 22:22 . 2008-08-27 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-22 19:51 . 2008-08-22 22:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-21 21:31 . 2008-08-21 21:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\tinySpell
2008-08-18 18:49 . 2008-08-18 18:49 <DIR> d-------- C:\Program Files\FreeMind
2008-08-18 18:49 . 2008-08-18 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\.freemind
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-08-17 20:21 . 2008-08-17 20:21 <DIR> d-------- C:\Program Files\MSBuild
2008-08-17 20:19 . 2008-08-17 20:20 <DIR> d-------- C:\df8a2e723e3378c879d7787aa2c84c7f
2008-08-17 20:19 . 2008-07-06 05:06 1,676,288 --a------ C:\WINDOWS\system32\xpssvcs.dll
2008-08-17 20:19 . 2008-07-06 05:06 1,676,288 -----c--- C:\WINDOWS\system32\dllcache\xpssvcs.dll
2008-08-17 20:19 . 2008-07-06 03:50 597,504 -----c--- C:\WINDOWS\system32\dllcache\printfilterpipelinesvc.exe
2008-08-17 20:19 . 2008-07-06 05:06 575,488 --a------ C:\WINDOWS\system32\xpsshhdr.dll
2008-08-17 20:19 . 2008-07-06 05:06 575,488 -----c--- C:\WINDOWS\system32\dllcache\xpsshhdr.dll
2008-08-17 20:19 . 2008-07-06 05:06 117,760 --a------ C:\WINDOWS\system32\prntvpt.dll
2008-08-17 20:19 . 2008-07-06 05:06 89,088 -----c--- C:\WINDOWS\system32\dllcache\filterpipelineprintproc.dll
2008-08-17 20:12 . 2008-08-17 20:12 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-07-29 21:10 . 2008-07-29 21:10 493,048 --a------ C:\WINDOWS\system32\evr.dll
2008-07-29 21:10 . 2008-07-29 21:10 73,720 --a------ C:\WINDOWS\system32\dxva2.dll
2008-07-29 21:10 . 2008-07-29 21:10 26,112 --a------ C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-29 20:35 . 2008-07-29 20:35 326,160 --a------ C:\WINDOWS\system32\PresentationHost.exe
2008-07-29 19:59 . 2008-07-29 19:59 781,344 --a------ C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-29 19:59 . 2008-07-29 19:59 161,296 --a------ C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-29 19:59 . 2008-07-29 19:59 105,016 --a------ C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-29 19:59 . 2008-07-29 19:59 43,544 --a------ C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-29 19:24 . 2008-07-29 19:24 622,080 --a------ C:\WINDOWS\system32\icardagt.exe
2008-07-29 19:24 . 2008-07-29 19:24 97,800 --a------ C:\WINDOWS\system32\infocardapi.dll
2008-07-29 19:24 . 2008-07-29 19:24 37,384 --a------ C:\WINDOWS\system32\infocardcpl.cpl
2008-07-29 19:24 . 2008-07-29 19:24 11,264 --a------ C:\WINDOWS\system32\icardres.dll
2008-07-29 05:49 . 2008-07-29 05:49 586,240 --a------ C:\WINDOWS\system32\icardres.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 05:04 8,970,272 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-27 05:04 105,524 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-27 01:46 1,837,962 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-25 02:20 --------- d-----w C:\Program Files\LimeWire
2008-08-25 00:47 --------- d-----w C:\Program Files\Trend Micro
2008-08-24 16:43 --------- d-----w C:\Program Files\ewido anti-malware
2008-08-11 00:48 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-25 18:16 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2008-07-25 18:16 83,968 ----a-w C:\WINDOWS\system32\mscories.dll
2008-07-25 18:16 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2008-07-25 18:16 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2008-07-25 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NETg
2008-07-21 03:37 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-21 03:32 --------- d-----w C:\Program Files\Windows Media Connect
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-17 03:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-07-17 03:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-11 03:36 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-07-11 03:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-11 03:33 --------- d-----w C:\Program Files\Zone Labs
2008-07-10 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-07-10 02:15 --------- d-----w C:\Program Files\3ivx
2008-07-09 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 16:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-06 04:40 --------- d-----w C:\Program Files\iTunes
2008-07-06 04:40 --------- d-----w C:\Program Files\iPod
2008-07-06 04:37 --------- d-----w C:\Program Files\QuickTime
2008-07-06 04:37 --------- d-----w C:\Program Files\Bonjour
2008-07-06 04:33 --------- d-----w C:\Program Files\Apple Software Update
2008-07-06 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 05:29 --------- d-----w C:\Program Files\Google
2008-07-04 05:23 --------- d-----w C:\Program Files\Java
2008-07-04 04:49 --------- d-----w C:\Program Files\Hamachi
2008-07-04 04:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-07-04 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-04 04:44 --------- d-----w C:\Program Files\iTunes(2)
2008-07-04 04:42 --------- d-----w C:\Program Files\Apple Software Update(2)
2008-07-04 04:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-04 04:41 --------- d-----w C:\Program Files\Yahoo!
2008-07-04 04:41 --------- d-----w C:\Program Files\ClickClean
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:12 667,136 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-02-17 18:37 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2008-02-17 18:37 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
.

((((((((((((((((((((((((((((( snapshot@2008-08-25_18.10.55.94 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-06 03:26:20 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-05-02 21:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
- 2007-07-31 02:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2008-07-19 05:10:20 36,552 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2002-03-20 00:30:00 177,152 ----a-w C:\WINDOWS\system32\tweakui.exe
+ 2008-08-28 01:14:28 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_3cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-12-20 13:17 15360]
"gStart"="C:\Garmin\gStart.exe" [2005-07-25 09:05 1896448]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 10:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 10:02 126976]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 19:04 155648]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 12:26 606208]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-10 12:04 180269]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 14:01 28160 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 01:48 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-12-07 12:27:10 25214]
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2006-01-07 16:18:49 299008]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-25 22:40:27 438272]
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2006-02-10 22:21:21 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-02-10 12:04 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys [2004-08-12 06:36]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 04:12]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-12-20 13:29]
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-06-15 11:06]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys [2004-04-07 15:14]
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys [2003-02-24 11:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fffc190-b318-11dc-b958-0014a53c0a27}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f6a15d2-fe64-11da-b447-0014a53c0a27}]
\Shell\AutoRun\command - rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9eb94ad6-7b96-11d9-9357-000f1fa81026}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e98de863-b31d-11dc-b959-0014a53c0a27}]
\Shell\AutoRun\command - E:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - E:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\js0dtm57.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1249.1854\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 20:43:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-27 20:47:04
ComboFix-quarantined-files.txt 2008-08-28 03:46:55
ComboFix2.txt 2008-08-27 01:52:46
ComboFix3.txt 2008-08-26 01:11:40

Pre-Run: 19,621,646,336 bytes free
Post-Run: 19,652,182,016 bytes free

230 --- E O F --- 2008-08-18 20:32:40

#10
Dang19

Posted 27 August 2008 - 09:57 PM

Member

Topic Starter
Member
23 posts

Aug 27 Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48: PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Garmin\gStart.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O15 - Trusted Zone: http://www.dell.com
O15 - Trusted Zone: http://*.figfederal.com
O15 - Trusted Zone: http://www.foremostfarmers.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farme...ctiveX/smsx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107988820193
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://eagent.farme...iveX/msxml4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10370 bytes

#11
fenzodahl512

Posted 28 August 2008 - 02:17 AM

Malware Removal
9,863 posts

Logs look very good to me.. One thing however.. I haven't seen any antivirus in your logs.. Antivirus is extremely crucial as without it you will get re-infected again! Do you have any? If you don't, please install ONLY ONE of these free and excellent antivirus below:

After you install an antivirus, please do below..

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK
Please note that the space between x and / is needed

Lastly, to keep your operating system up to date please visit the link below monthly

Microsoft Windows Update

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread

Have a safe and happy computing day!

Regards
fenzodahl512

#12
Dang19

Posted 28 August 2008 - 09:21 AM

Member

Topic Starter
Member
23 posts

I will take your advise to be sure.

I have not worked on your last set of instructions as I am at work, but will do so and advise.
I think the computer is working great except for a couple of things.

Computer will not boot or read data on d:\
I am unable to delete a user (admin) I set up during this mess. While in the default admin account and viewing the admin user I created, delete does not seem to be an option.

Could have the virus effected my d:\ as far as the ability to read/boot as the virus did effect my admin rights area? Maybe a service/right I have to adjust?
When I insert a windows disc all I get is a msgbox that says "insert cd" and when I do the msgbox just stays there. I have not tried a data only cd yet but will.

Again, thank you very much for all your help.

#13
fenzodahl512

Posted 28 August 2008 - 04:00 PM

Malware Removal
9,863 posts

Computer will not boot or read data on d:\

What is your D:\ drive?.. Is it a hard-disk partition or a CD/DVD-drive?

I am unable to delete a user (admin) I set up during this mess. While in the default admin account and viewing the admin user I created, delete does not seem to be an option.

Try below webpage..

http://uis.georgetow...g.accounts.html

#14
Dang19

Posted 28 August 2008 - 08:09 PM

Member

Topic Starter
Member
23 posts

I'm sorry, d:\ is CD.

#15
fenzodahl512

Posted 28 August 2008 - 09:34 PM

Malware Removal
9,863 posts

I'm sorry, d:\ is CD.

So, computer can't read data from CD? erm... can you explain more?.. I think I don't really understand you..

Do you mean you can't access your CD or your cd doesn't have autoplay function?..