PDA

View Full Version : Virtumonde has taken over!



caddy
2008-02-15, 04:23
I cannot download Kapernsky or successfully run Hijack this. I have renamed HJT, yet each time it completes a scan it closes due to error from gebba.dll. HELP PLEASE!

__RiP_ChAiN_
2008-02-15, 08:43
Hello caddy :)

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

caddy
2008-02-15, 09:03
Thank you, Rip_chain. I appreciate the relpy. I ran DSS as directed and posted both text files. I should also mention that in desperation i previously ran Combofix. This removed a handful of files and allowed me to then run hjt. I will post those logs as well.
caddy
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-14 22:53:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:14 PM, on 2/14/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3288 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080214-204305-235 O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
backup-20080214-204305-240 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
backup-20080214-204305-267 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080214-204305-445 O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
backup-20080214-204305-534 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
backup-20080214-204305-631 O4 - HKLM\..\Run: [DadApp] C:\WINNT\SYSTEM32\Drivers\dadapp.exe
backup-20080214-204305-733 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-204305-924 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
backup-20080214-204305-927 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
backup-20080214-204305-933 O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-104 O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
backup-20080214-204925-106 O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-118 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
backup-20080214-204925-131 O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-297 O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
backup-20080214-204925-536 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
backup-20080214-204925-582 O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-629 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
backup-20080214-204925-665 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
backup-20080214-204925-696 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
backup-20080214-204925-777 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
backup-20080214-204925-842 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20080214-204925-845 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
backup-20080214-204925-873 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
backup-20080214-204925-898 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20080214-204925-932 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-221805-264 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-221827-168 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
backup-20080214-221919-129 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
backup-20080214-223720-218 O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.09.13&unknown&unknown&http://www.toyota.com/vehicles/2007/fjcruiser/features.html
backup-20080214-223721-117 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
backup-20080214-223721-408 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_07) -
backup-20080214-223721-430 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
backup-20080214-223721-521 O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab
backup-20080214-223721-546 O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
backup-20080214-223721-879 O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
backup-20080214-223812-591 O20 - Winlogon Notify: ydtlxwbz - ydtlxwbz.dll (file missing)
backup-20080214-223849-253 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20080214-223850-395 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080214-223850-503 O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
backup-20080214-223850-720 O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
backup-20080214-223850-932 O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
backup-20080214-223955-685 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
backup-20080214-223955-750 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20080214-223955-767 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
backup-20080214-223955-828 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINNT\System32\Notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 ApfiltrService (Alps Touch Pad Filter Driver for Windows 2000/XP) - c:\winnt\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
3 cs429x (Crystal WDM Audio Codec Driver) - c:\winnt\system32\drivers\cwawdm.sys <Not Verified; Cirrus Logic, Inc.; Crystal AC9x WDM Driver>
1 Dlc (DLC Protocol) - c:\winnt\system32\drivers\dlc.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
3 EL90BC (3Com EtherLink XL B/C Adapter Driver) - c:\winnt\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
3 EL90Xbc (3Com 3C90X-BC Family PCI EtherLink Adapter) - c:\winnt\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
0 fasttrak - c:\winnt\system32\drivers\fasttrak.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Family Driver>
3 ichaud (Service for AC'97 Driver (WDM)) - c:\winnt\system32\drivers\ichaud.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
0 mraid2k - c:\winnt\system32\drivers\mraid2k.sys <Not Verified; American Megatrends, Inc.; MegaRAID Miniport Driver for Windows 2000>
3 Ptserial (W2K Pctel Serial Device Driver) - c:\winnt\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\winnt\system32\drivers\rootmdm.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
0 Vmodem (W2k Vmodem) - c:\winnt\system32\drivers\vmodem.sys <Not Verified; PCTEL, INC.; HSP Modem Modem Device>
0 Vpctcom (W2k Vpctcom) - c:\winnt\system32\drivers\vpctcom.sys <Not Verified; PCtel, Inc.; HSP Modem Virtual Control Device>
0 Vvoice (W2k Vvoice) - c:\winnt\system32\drivers\vvoice.sys <Not Verified; PCtel, Inc.; PCTEL HSP Modem Voice Device>
3 wldel48 (TrueMobile 1150 Series Driver) - c:\winnt\system32\drivers\wldel48.sys <Not Verified; Dell; TrueMobile 1150 Series Card>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 SiSWLSvc (SiS WirelessLan Service) - c:\program files\802.11 wireless lan\802.11g pen size wireless usb 2.0 adapter hw.32 v1.10\siswlsvc.exe
2 WinMgmt (Windows Management Instrumentation) - c:\winnt\system32\wbem\winmgmt.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-01-14 and 2008-02-14 -----------------------------

2008-02-14 22:21:36 68096 --a------ C:\WINNT\System32\zip.exe
2008-02-14 22:21:36 98816 --a------ C:\WINNT\System32\sed.exe
2008-02-14 22:21:36 80412 --a------ C:\WINNT\System32\grep.exe
2008-02-14 22:21:36 73728 --a------ C:\WINNT\System32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-14 17:40:19 0 d-------- C:\Program Files\Trend Micro
2008-02-13 12:45:26 29072 --a------ C:\WINNT\System32\drivers\disk.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-02-11 08:40:15 0 d-------- C:\Program Files\Yahoo!
2008-02-10 20:05:16 11520 --a------ C:\WINNT\System32\osvkcyi.exe
2008-02-10 20:05:13 1635 --a------ C:\WINNT\System32\mlhozdm.exe
2008-02-10 16:28:26 691545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28:26 3453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50:11 0 -ra------ C:\WINNT\System32\TFTP312
2008-02-02 13:28:41 0 d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13:32 0 -ra------ C:\WINNT\System32\TFTP1236
2008-01-21 17:54:19 19728 -ra------ C:\WINNT\System32\TFTP916 <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-01-17 19:00:32 0 -ra------ C:\WINNT\System32\TFTP1104
2008-01-14 18:18:48 0 -ra------ C:\WINNT\System32\TFTP1352
2008-01-14 18:16:25 0 -ra------ C:\WINNT\System32\TFTP1312
2008-01-14 18:09:17 0 -ra------ C:\WINNT\System32\TFTP572
2008-01-14 18:05:18 0 -ra------ C:\WINNT\System32\TFTP500
2008-01-14 17:57:57 0 -ra------ C:\WINNT\System32\TFTP556


-- Find3M Report ---------------------------------------------------------------

2008-02-14 22:39:03 0 d-------- C:\Program Files\SpywareGuard
2008-02-14 20:34:07 0 d-------- C:\Program Files\WinZip Self-Extractor
2008-02-14 20:34:06 0 d-a------ C:\Program Files\ewido anti-malware
2008-02-14 20:28:36 0 d-------- C:\Program Files\Common Files\Real
2008-02-14 20:27:47 0 d-a------ C:\Program Files\Common Files
2008-02-14 20:25:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-14 20:23:32 0 d-------- C:\Program Files\Network Associates
2008-02-14 20:20:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-07 16:12:51 0 d-a------ C:\Program Files\Modem Helper


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 4:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [10/11/2006 8:42:40 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS



-- End of Deckard's System Scanner: finished at 2008-02-14 22:53:38 ------------

caddy
2008-02-15, 09:05
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 49%
Physical Memory (total/avail): 255.43 MiB / 130.08 MiB
Pagefile Memory (total/avail): 615.39 MiB / 500.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1980.7 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 14.09 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)
F: is CDROM (No Media)


-- Security Center -------------------------------------------------------------



-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D9M5WQ11
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\D9M5WQ11
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=D9M5WQ11
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BDC88E5A-F47B-4314-AB38-994592E32C95}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Micro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D944236D-7992-41D6-8257-930B5832F1CC}\SETUP.EXE" -l0x9 /remove
Dell AccessDirect --> C:\WINNT\IsUninst.exe -f"C:\Program Files\DELL\AccessDirect\Uninst.isu" -c"C:\WINNT\SYSTEM32\Drivers\Uninst.dll
DiMAGE Master Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D312E40B-1C59-4823-AB48-6798D85ABBE4}\Setup.exe" -l0x9 anything
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel SpeedStep technology Applet --> C:\WINNT\IsUninst.exe -f"C:\WINNT\System32\Intel(R) SpeedStep(TM) technology Applet.isu"
InterVideo WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\System32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual Studio 6.0 Professional Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINNT\INF\wpie3x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" ControlPanel
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINNT\System32\nvinstnt.dll,NvUninstallNT4 nvdm.inf
PCTEL 2304WT V.92 MDC Modem Drivers --> ptuninst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
Serif PhotoPlus 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINNT\unins000.exe"
SpywareBlaster v3.2 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
TrueMobile 1150 Client Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0F8B60-6C6A-11D4-9630-0060B0FBF2F6}\setup.exe"
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Windows 2000 Application Compatibility Update --> C:\WINNT\AppPatch\wuinst.exe -u
Windows 2000 Security Rollup Package [See Q311401 for more information] --> C:\WINNT\$NtUninstallSP2SRP1$\spuninst\spuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2201 / Warning
Event Submitted/Written: 02/14/2008 07:49:05 PM
Event ID/Source: 4104 / COM+
Event Description:
The CRM log file was originally created on a computer with a different name. It has been updated with the name of the current computer. If this warning appears when the computer name has been changed then no further action is required.
DJ66FD11
Server Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235}
Server Application Name: System Application

Event Record #/Type2180 / Error
Event Submitted/Written: 02/13/2008 09:59:24 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2179 / Error
Event Submitted/Written: 02/13/2008 09:37:53 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2178 / Error
Event Submitted/Written: 02/13/2008 09:15:56 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2177 / Error
Event Submitted/Written: 02/13/2008 08:54:30 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27203 / Error
Event Submitted/Written: 02/14/2008 10:53:38 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27202 / Error
Event Submitted/Written: 02/14/2008 10:53:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27201 / Error
Event Submitted/Written: 02/14/2008 10:53:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27200 / Error
Event Submitted/Written: 02/14/2008 10:53:20 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27199 / Error
Event Submitted/Written: 02/14/2008 10:53:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}



-- End of Deckard's System Scanner: finished at 2008-02-14 22:53:38 ------------

caddy
2008-02-15, 09:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:39 PM, on 2/14/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3284 bytes

caddy
2008-02-15, 09:08
ComboFix 08-02-15.1 - Administrator 02/14/2008 22:22:21.1 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\gebba.dll
C:\WINNT\system32\wvusqpn.dll
C:\Program Files\delfin
C:\WINNT\fsg_4203.exe
C:\WINNT\SYSTEM32\abbeg.ini
C:\WINNT\SYSTEM32\abbeg.ini2
C:\WINNT\system32\bpkwb.dll
C:\WINNT\system32\bwpfabuq.dll
C:\WINNT\system32\ddmp.dll
C:\WINNT\system32\drivers\Browse.exe
C:\WINNT\system32\drivers\dadtray.exe
C:\WINNT\system32\drivers\OnScDisp.exe
C:\WINNT\system32\gebba.dll
C:\WINNT\system32\iedriver.exexplore.exe
C:\WINNT\system32\johnwb.dll
C:\WINNT\system32\jslvwdta.dll
C:\WINNT\system32\redirect.dll
C:\WINNT\system32\rhysepyw.dll
C:\WINNT\SYSTEM32\stetgkjv.ini
C:\WINNT\system32\systemwb.dll
C:\WINNT\system32\sysu.exe
C:\WINNT\system32\tcpservice2.exe
C:\WINNT\system32\vjkgtets.dll
C:\WINNT\system32\wvusqpn.dll
C:\WINNT\system32\xdeffrkp.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 17:40 . 08-02-14 17:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 01-05-04 12:05 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 08-02-12 08:38 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 20:05 . 08-02-10 20:05 11,520 --a------ C:\WINNT\SYSTEM32\osvkcyi.exe
2008-02-10 20:05 . 08-02-10 20:05 1,635 --a------ C:\WINNT\SYSTEM32\mlhozdm.exe
2008-02-10 16:28 . 08-02-10 15:59 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 08-02-10 16:28 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 08-02-09 13:50 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 08-02-02 13:28 <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 08-01-22 19:13 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 08-01-21 17:54 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 08-01-17 19:00 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 05:29 --------- d-----w C:\Program Files\SpywareGuard
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
04-08-16 11:44 59904 --a------ C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]
04-08-12 11:13 38400 --a------ C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [01-05-08 04:00 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydtlxwbz]
ydtlxwbz.dll


*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 22:28:39
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-02-14 22:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 06:30:22

__RiP_ChAiN_
2008-02-15, 22:21
Hello caddy :)


Open HiJackThis
Click on "View the list of Backups"
Place a check mark next to everything in that window
Click Restore
Click Yes
Reboot your computer


1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\SYSTEM32\osvkcyi.exe
C:\WINNT\SYSTEM32\mlhozdm.exe
Folder::
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\RDSA
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydtlxwbz]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

caddy
2008-02-16, 03:11
ComboFix 08-02-15.1 - Administrator 02/15/2008 17:00:37.2 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\SYSTEM32\mlhozdm.exe
C:\WINNT\SYSTEM32\osvkcyi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\RDSA
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.cfg
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
C:\Documents and Settings\All Users\Application Data\RDSA\RDSA.x2f
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.cfg
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
C:\Documents and Settings\All Users\Application Data\x1ff\X1FF0.dll
C:\Documents and Settings\All Users\Application Data\x1ff\xcf01467.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf11875.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf13534.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf25561.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf70936.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf85250.new
C:\Documents and Settings\All Users\Application Data\x1ff\xde79220.exe
C:\Documents and Settings\All Users\Application Data\x1ff\xde85250.exe
C:\Documents and Settings\All Users\Application Data\x1ff\xdl85250.new
C:\WINNT\SYSTEM32\mlhozdm.exe
C:\WINNT\SYSTEM32\osvkcyi.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-14 23:21 . 02/15/08 04:35p 701,602 ---h----- C:\WINNT\ShellIconCache
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 02/09/08 01:50p 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 01/22/08 07:13p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 01/21/08 05:54p 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 01/17/08 07:00p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:02:13
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/15/2008 17:02:59
ComboFix-quarantined-files.txt 2008-02-16 01:02:39
ComboFix2.txt 2008-02-15 06:30:38

caddy
2008-02-16, 03:12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:01 PM, on 2/15/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\EXPLORER.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4652 bytes

__RiP_ChAiN_
2008-02-16, 21:00
Hello caddy :)

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

SpyKiller

A. Please RUN HijackThis
Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')



Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINNT\SYSTEM32\gebba.dll
Folder::
C:\Program Files\SpyKiller

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

caddy
2008-02-16, 23:50
ComboFix 08-02-15.1 - Administrator 02/16/2008 13:27:40.3 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\SYSTEM32\gebba.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 18:14 . 02/15/08 06:14p 29,456 -ra------ C:\WINNT\SYSTEM32\TFTP444
2008-02-14 23:21 . 02/15/08 11:28p 701,574 ---h----- C:\WINNT\ShellIconCache
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 02/09/08 01:50p 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 01/22/08 07:13p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 01/21/08 05:54p 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 01/17/08 07:00p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 13:28:59
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/16/2008 13:29:49
ComboFix-quarantined-files.txt 2008-02-16 21:29:28
ComboFix2.txt 2008-02-16 01:03:00
ComboFix3.txt 2008-02-15 06:30:38

caddy
2008-02-16, 23:51
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:50 PM, on 2/16/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4387 bytes

__RiP_ChAiN_
2008-02-18, 06:59
Hello caddy :)

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

caddy
2008-02-19, 06:55
gr_Administrator.current;C:\Documents and Settings\Administrator\Application Data\Kazaa Lite\db;Modification of Trojan.BombScript.2;Moved.;
gr_Administrator.previous;C:\Documents and Settings\Administrator\Application Data\Kazaa Lite\db;Modification of Trojan.BombScript.2;Moved.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\smitRem;Tool.Prockill;Moved.;
pv.exe;C:\Documents and Settings\Administrator\Desktop\smitRem;Program.PrcView.3741;Moved.;
Process.exe;C:\Program Files\Mozilla Firefox\smitRem;Tool.Prockill;Moved.;
pv.exe;C:\Program Files\Mozilla Firefox\smitRem;Program.PrcView.3741;Moved.;
rdsa.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\RDSA;Adware.Rivad;Moved.;
x1ff.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\x1ff;Adware.RiverSoft;Moved.;
bwpfabuq.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.269;Deleted.;
jslvwdta.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.269;Deleted.;
rhysepyw.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.260;Deleted.;
xdeffrkp.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.260;Deleted.;
Buddy.exe;C:\WINNT;Trojan.Bispy;Incurable.Moved.;
dsktrf.dll;C:\WINNT\SYSTEM32;Adware.ILookup.origin;Moved.;
TFTP444;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;


Thanks again for the help, Rip_Chain. Here is the Dr.Web log file. However, i was unable to perform Panda scan b/c my browser is incompatible. Should i download IE 5.0 and run the scan?
Take care
Caddy

__RiP_ChAiN_
2008-02-19, 10:50
Hello caddy :)


Should i download IE 5.0 and run the scan?
No, we'll do something else instead :)

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights" Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.Reboot your computer in "Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

caddy
2008-02-20, 23:33
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:32 PM, on 2/20/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4329 bytes

caddy
2008-02-20, 23:35
SDFix: Version 1.144

Run by Administrator on Wed 02/20/2008 at 1:20p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix\SDFix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

Trojan Files Found:

C:\OK.TMP - Deleted
C:\OK.TMP - Deleted
C:\WINNT\system32\TFTP1104 - Deleted
C:\WINNT\system32\TFTP1236 - Deleted
C:\WINNT\system32\TFTP1312 - Deleted
C:\WINNT\system32\TFTP1352 - Deleted
C:\WINNT\system32\TFTP312 - Deleted
C:\WINNT\system32\TFTP444 - Deleted
C:\WINNT\system32\TFTP500 - Deleted
C:\WINNT\system32\TFTP556 - Deleted
C:\WINNT\system32\TFTP572 - Deleted
C:\WINNT\system32\TFTP892 - Deleted
C:\WINNT\system32\TFTP916 - Deleted
C:\WINNT\system32\o - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 13:23:40
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Remaining Files:


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 26 Jun 2007 5,375,800 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 5 Mar 2006 0 A.SH. --- "C:\WINNT\SYSTEM32\wupdmgr.tmp"
Wed 4 Sep 2002 20,992 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0001.tmp"
Fri 23 Jun 2006 56,832 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0002.tmp"
Thu 20 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0136.tmp"
Mon 3 Oct 2005 22,016 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1280.tmp"
Wed 26 Jan 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1407.tmp"
Thu 6 Oct 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1428.tmp"
Wed 19 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1839.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1925.tmp"
Thu 20 Oct 2005 49,152 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2316.tmp"
Tue 4 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2326.tmp"
Wed 26 Jan 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2579.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2856.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2960.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2976.tmp"
Fri 21 Oct 2005 53,248 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3006.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3069.tmp"
Mon 26 Jun 2006 22,016 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3097.tmp"
Mon 23 Apr 2007 25,088 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3149.tmp"
Mon 26 Jun 2006 22,016 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3249.tmp"
Fri 21 Oct 2005 53,760 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3367.tmp"
Mon 3 May 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 14 Feb 2003 43,520 ...H. --- "C:\Program Files\Qualcomm\Eudora\attach\~WRL3439.tmp"
Sat 24 Jun 2006 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0002.tmp"
Tue 4 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 26 Mar 2003 44,032 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0006.tmp"
Tue 4 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0007.tmp"
Thu 20 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0008.tmp"
Fri 21 Oct 2005 52,736 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0009.tmp"
Thu 5 Jan 2006 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0010.tmp"
Sat 24 Jun 2006 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0011.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0020.tmp"
Sun 8 Jan 2006 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0024.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0071.tmp"
Wed 13 Feb 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0140.tmp"
Fri 21 Oct 2005 54,272 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0198.tmp"
Fri 21 Oct 2005 56,320 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0237.tmp"
Thu 6 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0244.tmp"
Thu 24 Mar 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0294.tmp"
Wed 23 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0295.tmp"
Tue 25 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0320.tmp"
Fri 21 Oct 2005 54,272 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0343.tmp"
Wed 26 Jan 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0379.tmp"
Tue 26 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0410.tmp"
Tue 4 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0422.tmp"
Fri 21 Oct 2005 49,664 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0474.tmp"
Fri 21 Oct 2005 55,296 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0624.tmp"
Wed 26 Jan 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0647.tmp"
Thu 24 Mar 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0671.tmp"
Tue 26 Apr 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0675.tmp"
Tue 26 Apr 2005 28,160 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0689.tmp"
Tue 25 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0698.tmp"
Mon 27 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0812.tmp"
Fri 21 Oct 2005 57,344 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0861.tmp"
Wed 26 Jan 2005 20,480 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0869.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0882.tmp"
Wed 23 Mar 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0921.tmp"
Thu 20 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0935.tmp"
Tue 26 Apr 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0969.tmp"
Tue 4 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0974.tmp"
Fri 6 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0998.tmp"
Wed 23 Mar 2005 22,016 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1095.tmp"
Fri 6 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1103.tmp"
Wed 26 Jan 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1106.tmp"
Thu 6 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1178.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1194.tmp"
Thu 20 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1215.tmp"
Tue 25 Jan 2005 20,480 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1290.tmp"
Tue 25 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1326.tmp"
Fri 21 Oct 2005 56,320 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1328.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1354.tmp"
Fri 21 Oct 2005 53,248 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1403.tmp"
Wed 23 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1429.tmp"
Sun 8 Jan 2006 20,480 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1438.tmp"
Sun 8 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1466.tmp"
Tue 26 Apr 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1478.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1586.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1667.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1675.tmp"
Mon 27 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1733.tmp"
Fri 21 Oct 2005 53,248 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1765.tmp"
Fri 21 Oct 2005 55,296 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1810.tmp"
Mon 27 Aug 2007 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1833.tmp"
Tue 4 Oct 2005 24,064 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1889.tmp"
Thu 24 Mar 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1936.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1939.tmp"
Sun 8 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2022.tmp"
Tue 4 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2046.tmp"
Wed 26 Mar 2003 44,544 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2054.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2087.tmp"
Fri 21 Oct 2005 55,808 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2110.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2162.tmp"
Tue 26 Apr 2005 22,016 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2194.tmp"
Wed 26 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2212.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2228.tmp"
Thu 20 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2240.tmp"
Fri 21 Oct 2005 56,832 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2251.tmp"
Thu 20 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2261.tmp"
Tue 26 Apr 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2309.tmp"
Tue 26 Apr 2005 27,136 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2387.tmp"
Wed 23 Mar 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2443.tmp"
Thu 20 Oct 2005 24,064 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2530.tmp"
Tue 4 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2613.tmp"
Sun 8 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2728.tmp"
Fri 21 Oct 2005 52,736 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2800.tmp"
Sun 8 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2862.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2912.tmp"
Thu 6 Oct 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2985.tmp"
Thu 20 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3062.tmp"
Fri 21 Oct 2005 56,320 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3063.tmp"
Tue 26 Apr 2005 27,648 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3069.tmp"
Tue 26 Apr 2005 26,112 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3165.tmp"
Wed 26 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3224.tmp"
Tue 4 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3225.tmp"
Thu 24 Mar 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3241.tmp"
Thu 24 Mar 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3269.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3336.tmp"
Sun 8 Jan 2006 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3340.tmp"
Tue 26 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3346.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3364.tmp"
Mon 27 Aug 2007 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3434.tmp"
Tue 25 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3438.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3439.tmp"
Wed 26 Jan 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3440.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3443.tmp"
Sun 8 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3446.tmp"
Wed 26 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3499.tmp"
Thu 6 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3552.tmp"
Fri 21 Oct 2005 50,688 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3558.tmp"
Tue 4 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3578.tmp"
Tue 26 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3632.tmp"
Fri 6 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3672.tmp"
Thu 20 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3677.tmp"
Wed 23 Mar 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3748.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3903.tmp"
Thu 20 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3940.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3953.tmp"
Thu 20 Oct 2005 24,064 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3959.tmp"
Wed 26 Mar 2003 45,568 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL4096.tmp"

Finished!

__RiP_ChAiN_
2008-02-21, 05:20
Hello caddy :)

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.


Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

caddy
2008-02-21, 05:44
Thanks for the help, Rip_chain. I have posted both logs. Thanks again.

ComboFix 08-02-15.1 - Administrator 02/20/2008 19:35:49.4 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 13:18 . 02/20/08 01:18p <DIR> d-------- C:\WINNT\ERUNT
2008-02-20 13:18 . 10/30/01 04:57a 402,192 --a------ C:\WINNT\SYSTEM32\dllcache\user32.dll
2008-02-20 12:59 . 02/20/08 07:35p <DIR> d-------- C:\SDFix
2008-02-18 21:11 . 02/20/08 01:00p 701,856 ---h----- C:\WINNT\ShellIconCache
2008-02-18 21:04 . 02/18/08 09:09p 7,935 --a------ C:\WINNT\Active Setup Log.BAK
2008-02-18 19:38 . 02/18/08 07:42p <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:37:05
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/20/2008 19:37:56
ComboFix-quarantined-files.txt 2008-02-21 03:37:35
ComboFix2.txt 2008-02-16 21:29:50
ComboFix3.txt 2008-02-16 01:03:00
ComboFix4.txt 2008-02-15 06:30:38

caddy
2008-02-21, 05:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:53 PM, on 2/20/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3517 bytes

__RiP_ChAiN_
2008-02-22, 21:02
Hello caddy :)

Your logs are looking much better, how is your computer currently running?

caddy
2008-02-23, 04:52
Rip_chain,
Things seem to be running much better and to my knowledge Virtumonde is gone. Thank you so much for your time and effort. It is much appreciated. What would you recommend i update or download to help with future problems?
Thanks Again
Caddy

caddy
2008-02-23, 21:34
Rip_chain,
I just noticed that i do still have an Adware Reviews icon in my startup list. Could this be a remnant of infection?
Many thanks!
caddy

__RiP_ChAiN_
2008-02-24, 06:38
Hello caddy :)


I just noticed that i do still have an Adware Reviews icon in my startup list. Could this be a remnant of infection?
More then likely just stray pieces, go ahead and just delete them.


What would you recommend i update or download to help with future problems?
I actually have some good suggestions for you on that count.

Please delete the following folder:

C:\Qoobox

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

caddy
2008-02-24, 09:13
Thanks for all the advice. However, I am unable to find the location where i can change the system restore function. Could it be that i have win 2000?

__RiP_ChAiN_
2008-02-25, 06:33
Yes, it's because you have Windows 2000. I always forget to custom tailor these last remarks of mine, for people running operating systems different then Windows XP. Please go ahead and skip the system restore steps.

__RiP_ChAiN_
2008-03-01, 00:04
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.