Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: I'm infected with ? virtumonde maybe, wxudqfep.exe

  1. #1
    Junior Member
    Join Date
    Apr 2008
    Location
    US, Oregon, Portland
    Posts
    6

    Default I'm infected with ? virtumonde maybe, wxudqfep.exe

    Hello,
    I have to say this problem is kickin my behind. I'm an IT person working on a remote pc, but do get help with safe mode starts, etc. from the user. I use VNC to connect remotely.
    I've cleaned with Spybot several times. Tried SDFix, which found nothing. Windows Defender (of course) finds nothing, no surprise there. Popups are less frequent, & some problems SpyBot did fix, as I now have access to TaskManager again. the latest popup is calling out TrojanDownloader.XS.
    Scanned w/ Kaspersky web, it found 5? viruses infecting 15 items.

    Thank you very much for any assistance you are able to render
    blinks

    here is my HJTLog:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:18, on 2008-05-01
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wxudqfep.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
    O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209677410996
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
    O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
    O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
    O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

    --
    End of file - 9135 bytes


    and KASPERSKY Virus SCAN:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    2008-05-01 08:28
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 30/04/2008
    Kaspersky Anti-Virus database records: 733438
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    G:\
    S:\
    U:\

    Scan Statistics:
    Total number of scanned objects: 37264
    Number of viruses found: 5
    Number of infected objects: 15
    Number of suspicious objects: 0
    Duration of the scan process: 02:35:12

    Infected Object Name / Virus Name / Last Action
    C:\DMI\WIN32\MifDB\errors.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\d4ab084915cda0549b1a54085095fa40_05360b70-c85e-4979-a995-4d918337c65c Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01092007-160109.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080430_Time-101615208_EnterceptExceptions.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080430_Time-101615208_EnterceptRules.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DEN1D02.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DEN1D02.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\uvglszqz\wdsnarwx.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\ryusem\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\History\History.IE5\MSHist012008043020080501\index.dat Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\ryusem\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\House\Flooring.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\House\Upstairs Floor.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\11 Names of messiah.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\a-free-magic-ebook.zip Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\a.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Angelic name and orders.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\AstoundingDemo.exe Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Asturias.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Background.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Basic Leg on Shoulder Guard Pass.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Book2.xls Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\cardtricks.exe Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\cell%20plan.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\ConocoPhillips.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\D14.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Danny Magen.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Desktop.ini Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Enochian script.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\GMS_memory.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\High Altitude Martial Arts.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Irin.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Just a Touch of magic.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\kl.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\LKJ.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\MEMORY.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Mossad.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\My words.xls Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Mystery of Shambhala.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\OIL STOCK TO BUY.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\PHYS THER.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\PRELIMINARY PLANS.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\PRRFENTRY_form_200801.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\PRRF_Catalog_200801.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\RMHS_Membership_Application.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Rosh Hashanna.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\ryusem83Ways[1].pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\Cheap screen printing tutorial.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\Desktop.ini Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\Gaelic Judo.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\LKJ.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\LKJ2.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\sHIRT.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\TER.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\TER2.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Slowly digesting his stomach he reached over.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Story Climax.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Street tongue.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Sunday.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\tabs.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Taken from a friend.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Together they would tackle everything.doc Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\Vocab list.pdf Object is locked skipped
    C:\Documents and Settings\ryusem\My Documents\Misc\~$gelic name and orders.doc Object is locked skipped
    C:\Documents and Settings\ryusem\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\ryusem\NTUSER.DAT.LOG Object is locked skipped
    C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
    C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
    C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
    C:\quarantine\Av-test.txt.Vir Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005645.exe Infected: Trojan.Win32.Vapsup.elk skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005646.dll Infected: Trojan.Win32.Vapsup.elk skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005648.dll Infected: Trojan.Win32.Vapsup.elk skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005649.dll Infected: Trojan.Win32.Vapsup.elk skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005668.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005687.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP2\A0006754.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP2\A0006755.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\A0007837.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\A0007838.exe Infected: Trojan.Win32.Obfuscated.gx skipped
    C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\change.log Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi blinky114

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.exe

    Double-click SmitfraudFix.exe
    Select option #1 - Search by typing 1 and press Enter
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    IMPORTANT: Do NOT run any other options until you are asked to do so!

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Apr 2008
    Location
    US, Oregon, Portland
    Posts
    6

    Default

    Here is the rapport.txt
    Thank you,
    blinky114

    SmitFraudFix v2.319

    Scan done at 11:33:01.38, 2008-05-02
    Run from C:\Documents and Settings\ryusem\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\UltraVNC\winvnc.exe
    C:\WINDOWS\system32\cmd.exe

    hosts


    U:\


    C:\WINDOWS


    C:\WINDOWS\system


    C:\WINDOWS\Web


    C:\WINDOWS\system32


    C:\WINDOWS\system32\LogFiles


    C:\Documents and Settings\ryusem


    C:\Documents and Settings\ryusem\Application Data


    Start Menu


    C:\DOCUME~1\ryusem\FAVORI~1


    Desktop


    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    404Fix
    !!!Attention, following keys are not inevitably infected!!!

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    Rustock



    DNS

    Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.141.228
    DNS Server Search Order: 192.168.141.221

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{A8161A1F-F2F7-40BC-83A9-60AEEED99A75}: DhcpNameServer=192.168.141.228 192.168.141.221
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A8161A1F-F2F7-40BC-83A9-60AEEED99A75}: DhcpNameServer=192.168.141.228 192.168.141.221
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{A8161A1F-F2F7-40BC-83A9-60AEEED99A75}: DhcpNameServer=192.168.141.228 192.168.141.221
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.141.228 192.168.141.221
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.141.228 192.168.141.221
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.141.228 192.168.141.221


    Scanning for wininet.dll infection


    End

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    OK, nothing there.

    Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Double-click on dss.exe to run it, and follow the prompts.
    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Apr 2008
    Location
    US, Oregon, Portland
    Posts
    6

    Default

    Deckard's System Scanner v20071014.68
    Run by ryusem on 2008-05-02 12:09:48
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    7: 2008-05-02 18:10:08 UTC - RP7 - Deckard's System Scanner Restore Point
    6: 2008-05-01 21:57:03 UTC - RP6 - Software Distribution Service 3.0
    5: 2008-05-01 21:50:11 UTC - RP5 - Software Distribution Service 3.0
    4: 2008-04-30 12:38:26 UTC - RP4 - Software Distribution Service 3.0
    3: 2008-04-29 19:38:33 UTC - RP3 - Installed Windows Media Format Runtime


    -- First Restore Point --
    1: 2008-04-26 15:59:57 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    Total Physical Memory: 383 MiB (512 MiB recommended).


    -- HijackThis (run as ryusem.exe) ----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:12, on 2008-05-02
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\UltraVNC\winvnc.exe
    C:\Documents and Settings\ryusem\Desktop\dss.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\TRENDM~1\HIJACK~1\ryusem.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
    O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209677410996
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
    O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
    O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
    O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

    --
    End of file - 9353 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
    R1 omci - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
    R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>

    S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 ActionAgent - c:\program files\dell\openmanage\client\actionagent.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
    R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
    R2 DellDmi - c:\dmi\win32\bin\delldmi.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
    R2 DEventAgent - c:\program files\dell\openmanage\client\eventagt.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
    R2 DLT - c:\program files\dell\openmanage\client\dlt.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
    R2 Iap - c:\program files\dell\openmanage\client\iap.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
    R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
    R2 Win32Sl - c:\dmi\win32\bin\win32sl.exe <Not Verified; Intel; DMI 2.0s SDK>

    S2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>
    S3 Cwbrxd (iSeries Access for Windows Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM(R) iSeries (TM) Access for Windows>


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&4F9938A&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&4F9938A&0
    Service: i8042prt


    -- Scheduled Tasks -------------------------------------------------------------

    2008-05-02 06:18:01 260 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
    2008-05-01 16:12:02 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
    2008-05-01 10:57:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2008-04-02 and 2008-05-02 -----------------------------

    2008-05-02 12:09:01 0 d-------- U:\Deckard
    2008-05-02 11:33:20 2212 --a------ C:\WINDOWS\system32\tmp.reg
    2008-05-01 15:59:18 0 d-------- C:\WINDOWS\network diagnostic
    2008-05-01 15:14:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
    2008-05-01 14:39:14 0 d-------- C:\WINDOWS\ERUNT
    2008-05-01 10:07:58 110592 --a------ C:\WINDOWS\system32\wxudqfep.exe
    2008-04-30 13:12:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-30 13:12:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-04-30 10:08:49 0 dr-h----- C:\Documents and Settings\ryusem\Recent
    2008-04-29 09:19:15 68096 --a------ C:\WINDOWS\zip.exe
    2008-04-29 09:19:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-04-29 09:19:15 98816 --a------ C:\WINDOWS\sed.exe
    2008-04-29 09:19:15 80412 --a------ C:\WINDOWS\grep.exe
    2008-04-29 09:19:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-04-29 09:19:14 49152 --a------ C:\WINDOWS\VFind.exe
    2008-04-29 09:19:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-04-29 09:19:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-04-29 08:25:49 0 d-------- C:\Program Files\Trend Micro
    2008-04-28 10:37:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-28 10:03:19 0 d--h----- C:\WINDOWS\PIF
    2008-04-28 06:28:48 0 d-------- C:\Documents and Settings\ryusem\Application Data\TmpRecentIcons
    2008-04-26 10:22:20 0 dr-h----- C:\Documents and Settings\KROBERTS\Recent
    2008-04-26 08:43:00 0 d-------- C:\Documents and Settings\KROBERTS\Application Data\TmpRecentIcons
    2008-04-26 07:00:25 0 d-------- C:\Documents and Settings\All Users\Application Data\uvglszqz
    2008-04-18 07:30:53 1380 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache


    -- Find3M Report ---------------------------------------------------------------

    2008-04-30 07:42:55 27888 --a----c- C:\Documents and Settings\ryusem\Application Data\GDIPFONTCACHEV1.DAT
    2008-04-28 14:08:34 0 d-------- C:\Program Files\UltraVNC
    2008-04-25 12:00:30 0 d-------- C:\Documents and Settings\ryusem\Application Data\Adobe
    2008-04-18 06:30:43 0 d-------- C:\Program Files\Microsoft Silverlight


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2005-08-06 20:45]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 04:06]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
    "gtjcrnvp"="C:\WINDOWS\system32\gxolwpyj.exe" []
    "vvygnutp"="C:\WINDOWS\system32\wxudqfep.exe" [2008-05-01 10:07]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    *Newly Created Service* - ENTDRV51



    -- End of Deckard's System Scanner: finished at 2008-05-02 12:14:47 ------------



    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel Pentium III processor
    Percentage of Memory in Use: 77%
    Physical Memory (total/avail): 382.23 MiB / 86.16 MiB
    Pagefile Memory (total/avail): 963.38 MiB / 322.92 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1936.3 MiB

    A: is Removable (FAT)
    C: is Fixed (NTFS) - 9.56 GiB total, 3.26 GiB free.
    D: is CDROM (CDFS)
    G: is Network (NTFS)
    S: is Network (NTFS)
    U: is Network (NTFS)

    \\.\PHYSICALDRIVE0 - QUANTUM FIREBALLP AS10.2 - 9.57 GiB - 1 partition
    \PARTITION0 (bootable) - Installable File System - 9.56 GiB - C:



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is disabled.

    FirstRunDisabled is set.


    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:UltraVNC Server"
    "C:\\WINDOWS\\system32\\ping.exe"="C:\\WINDOWS\\system32\\ping.exe:*:Enabled:ping.exe"
    "C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
    "C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"="C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
    "C:\\WINDOWS\\system32\\ping.exe"="C:\\WINDOWS\\system32\\ping.exe:*:Enabled:ping.exe"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\ryusem\Application Data
    CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=DEN1D02
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=U:
    HOMEPATH=\
    HOMESHARE=\\den1dc\users\ryusem
    LOGONSERVER=\\DEN1DC
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\DMI\WIN32\BIN;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;C:\Program Files\QuickTime\QTSystem
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0806
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
    RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\ryusem\LOCALS~1\Temp
    TMP=C:\DOCUME~1\ryusem\LOCALS~1\Temp
    USERDNSDOMAIN=BEALLCORP.NET
    USERDOMAIN=BEALLCORP
    USERNAME=ryusem
    USERPROFILE=C:\Documents and Settings\ryusem
    WIN32DMIPATH=C:\DMI\WIN32
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    KROBERTS (admin)
    ryusem (admin)
    deleteme (admin)
    Administrator (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\AFPViewr\DeIsL1.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL10.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL11.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL12.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL13.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL14.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL15.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL16.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL17.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL45.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL5.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL6.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL7.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL8.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL9.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
    --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
    Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
    Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
    Amazing Windows XP Screen Saver 1.2 --> C:\WINDOWS\unins001.exe
    Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
    Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
    CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
    Dell OpenManage Client Instrumentation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0773A806-0853-4B4D-8771-55BEF03E242B}\Setup.exe" -l0x9 -f1C:\PROGRA~1\Dell\OPENMA~1\Client\uninst.iss
    Free PS Convert driver 8.15 --> "C:\Program Files\psconvert\unins000.exe"
    Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
    Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
    HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    IBM iSeries Access for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
    Israel Radio Toolbar --> C:\PROGRA~1\ISRAEL~1\UNWISE.EXE C:\PROGRA~1\ISRAEL~1\INSTALL.LOG
    Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
    Mdu --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Mdu\ST6UNST.LOG"
    Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
    Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
    Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
    Move Networks Player for Internet Explorer --> "C:\Documents and Settings\kroberts\Application Data\Move Networks\ie_bin\unins000.exe"
    Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
    MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
    NILE THEME --> MsiExec.exe /X{B19C841C-D60A-462F-AB86-4FDD51A77FA3}
    oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
    QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
    Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    Ulead GIF Animator 5 TBYB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AF3E926-ED59-11D4-A44B-0000E86D2305}\Setup.exe" -l0x9
    UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
    URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
    Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
    Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
    Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
    Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
    Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
    WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
    XML Paper Specification Shared Components Pack 1.0 -->
    Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type2095 / Warning
    Event Submitted/Written: 05/02/2008 00:13:42 PM
    Event ID/Source: 257 / Alert Manager Event Interface
    Event Description:
    VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DEN1D02 IP 192.168.131.34 user SYSTEM running VirusScan Enter 8.0 OAS)

    Event Record #/Type2094 / Warning
    Event Submitted/Written: 05/02/2008 00:13:42 PM
    Event ID/Source: 257 / Alert Manager Event Interface
    Event Description:
    VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DEN1D02 IP 192.168.131.34 user SYSTEM running VirusScan Enter 8.0 OAS)

    Event Record #/Type2091 / Error
    Event Submitted/Written: 05/02/2008 09:07:46 AM
    Event ID/Source: 2001 / Microsoft Office 10
    Event Description:
    Rejected Safe Mode action : Microsoft Outlook.

    Event Record #/Type2079 / Warning
    Event Submitted/Written: 05/01/2008 04:06:02 PM
    Event ID/Source: 1524 / Userenv
    Event Description:
    Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

    Event Record #/Type2068 / Warning
    Event Submitted/Written: 05/01/2008 03:21:39 PM
    Event ID/Source: 1524 / Userenv
    Event Description:
    Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type60982 / Warning
    Event Submitted/Written: 05/02/2008 11:35:57 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.

    For more information please see the following:
    %BEALLCORP275

    Scan ID: {52455084-9B07-440C-8427-84F6E3CA9B16}

    User: BEALLCORP\ryusem

    Name: %BEALLCORP271

    ID: %BEALLCORP272

    Severity: 1.1.1593.05

    Category: 1.1.1593.06

    Path Found: %BEALLCORP276

    Alert Type: %BEALLCORP278

    Detection Type: 1.1.1593.02

    Event Record #/Type60981 / Warning
    Event Submitted/Written: 05/02/2008 11:35:57 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.

    For more information please see the following:
    %BEALLCORP275

    Scan ID: {72010C38-44E5-4F4F-BF7F-61B54B776A6A}

    User: BEALLCORP\ryusem

    Name: %BEALLCORP271

    ID: %BEALLCORP272

    Severity: 1.1.1593.05

    Category: 1.1.1593.06

    Path Found: %BEALLCORP276

    Alert Type: %BEALLCORP278

    Detection Type: 1.1.1593.02

    Event Record #/Type60980 / Warning
    Event Submitted/Written: 05/02/2008 11:35:57 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.

    For more information please see the following:
    %BEALLCORP275

    Scan ID: {355BAD1B-B840-4AD5-B1F7-57856421BB23}

    User: BEALLCORP\ryusem

    Name: %BEALLCORP271

    ID: %BEALLCORP272

    Severity: 1.1.1593.05

    Category: 1.1.1593.06

    Path Found: %BEALLCORP276

    Alert Type: %BEALLCORP278

    Detection Type: 1.1.1593.02

    Event Record #/Type60979 / Warning
    Event Submitted/Written: 05/02/2008 11:35:56 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.

    For more information please see the following:
    %BEALLCORP275

    Scan ID: {AFEA53E3-03F0-4864-8DD7-94449A53A755}

    User: BEALLCORP\ryusem

    Name: %BEALLCORP271

    ID: %BEALLCORP272

    Severity: 1.1.1593.05

    Category: 1.1.1593.06

    Path Found: %BEALLCORP276

    Alert Type: %BEALLCORP278

    Detection Type: 1.1.1593.02

    Event Record #/Type60978 / Warning
    Event Submitted/Written: 05/02/2008 11:35:56 AM
    Event ID/Source: 3004 / WinDefend
    Event Description:
    %BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.

    For more information please see the following:
    %BEALLCORP275

    Scan ID: {84B6C791-52D0-49CF-84CA-BCB57547D805}

    User: BEALLCORP\ryusem

    Name: %BEALLCORP271

    ID: %BEALLCORP272

    Severity: 1.1.1593.05

    Category: 1.1.1593.06

    Path Found: %BEALLCORP276

    Alert Type: %BEALLCORP278

    Detection Type: 1.1.1593.02



    -- End of Deckard's System Scanner: finished at 2008-05-02 12:14:47 ------------

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Open HijackThis, click do a system scan only and checkmark these:

    O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
    O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
    O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe


    Close all windows including browser and press fix checked.

    Reboot.

    Delete these:

    C:\WINDOWS\system32\gxolwpyj.exe
    C:\WINDOWS\system32\wxudqfep.exe
    C:\Documents and Settings\All Users\Application Data\uvglszqz

    Empty Recycle Bin.

    Post back a fresh HijackThis log.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Apr 2008
    Location
    US, Oregon, Portland
    Posts
    6

    Default

    Hi Shaba - Here is the new HJT Logfile. I see that the same items are still here.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:18, on 2008-05-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
    O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209677410996
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
    O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
    O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
    O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

    --
    End of file - 9189 bytes

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Yes, they are.

    Windows Defender

    1. Click on "Tools"
    2. Click on "General Settings"
    3. Scroll down to "Real-time protection options"
    4. Uncheck "Turn on Real-time protection (recommended)"
    5. Click "Save"

    Open HijackThis, click do a system scan only and checkmark these:

    O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
    O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
    O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe


    Close all windows including browser and press fix checked.

    Reboot.

    Re-run dss.

    Post a fresh dss log (main.txt)
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Apr 2008
    Location
    US, Oregon, Portland
    Posts
    6

    Default

    Shaba,
    removed WinDfndr 'real-time protection'
    deleted other keys (checked fix in HJT)
    rebooted
    dss log below - thank you, blinkks

    Deckard's System Scanner v20071014.68
    Run by ryusem on 2008-05-05 10:07:41
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Percentage of Memory in Use: 91% (more than 75%).
    Total Physical Memory: 383 MiB (512 MiB recommended).


    -- HijackThis (run as ryusem.exe) ----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:08, on 2008-05-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Documents and Settings\ryusem\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\ryusem.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1209677410996
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
    O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
    O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
    O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

    --
    End of file - 8933 bytes

    -- Files created between 2008-04-05 and 2008-05-05 -----------------------------

    2008-05-02 12:09:01 0 d-------- U:\Deckard
    2008-05-02 11:33:20 2212 --a------ C:\WINDOWS\system32\tmp.reg
    2008-05-01 15:59:18 0 d-------- C:\WINDOWS\network diagnostic
    2008-05-01 15:14:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
    2008-05-01 14:39:14 0 d-------- C:\WINDOWS\ERUNT
    2008-04-30 13:12:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-30 13:12:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-04-30 10:08:49 0 dr-h----- C:\Documents and Settings\ryusem\Recent
    2008-04-29 09:19:15 68096 --a------ C:\WINDOWS\zip.exe
    2008-04-29 09:19:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
    2008-04-29 09:19:15 98816 --a------ C:\WINDOWS\sed.exe
    2008-04-29 09:19:15 80412 --a------ C:\WINDOWS\grep.exe
    2008-04-29 09:19:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
    2008-04-29 09:19:14 49152 --a------ C:\WINDOWS\VFind.exe
    2008-04-29 09:19:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
    2008-04-29 09:19:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
    2008-04-29 08:25:49 0 d-------- C:\Program Files\Trend Micro
    2008-04-28 10:37:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-28 10:03:19 0 d--h----- C:\WINDOWS\PIF
    2008-04-28 06:28:48 0 d-------- C:\Documents and Settings\ryusem\Application Data\TmpRecentIcons
    2008-04-26 10:22:20 0 dr-h----- C:\Documents and Settings\KROBERTS\Recent
    2008-04-26 08:43:00 0 d-------- C:\Documents and Settings\KROBERTS\Application Data\TmpRecentIcons
    2008-04-18 07:30:53 1380 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache


    -- Find3M Report ---------------------------------------------------------------

    2008-04-30 07:42:55 27888 --a----c- C:\Documents and Settings\ryusem\Application Data\GDIPFONTCACHEV1.DAT
    2008-04-28 14:08:34 0 d-------- C:\Program Files\UltraVNC
    2008-04-25 12:00:30 0 d-------- C:\Documents and Settings\ryusem\Application Data\Adobe
    2008-04-18 06:30:43 0 d-------- C:\Program Files\Microsoft Silverlight


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2005-08-06 20:45]
    "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 04:06]
    "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
    "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "HideLegacyLogonScripts"=0 (0x0)
    "HideLogoffScripts"=0 (0x0)
    "RunLogonScriptSync"=1 (0x1)
    "RunStartupScriptSync"=1 (0x1)
    "HideStartupScripts"=0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"




    -- End of Deckard's System Scanner: finished at 2008-05-05 10:09:01 ------------

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,644

    Default

    Hi

    Great, now there are gone

    Re-scan with kaspersky.

    Post:

    - a fresh HijackThis log
    - kaspersky report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •