View Full Version : I'm infected with ? virtumonde maybe, wxudqfep.exe
blinky114
2008-05-02, 00:38
Hello,
I have to say this problem is kickin my behind. I'm an IT person working on a remote pc, but do get help with safe mode starts, etc. from the user. I use VNC to connect remotely.
I've cleaned with Spybot several times. Tried SDFix, which found nothing. Windows Defender (of course) finds nothing, no surprise there. Popups are less frequent, & some problems SpyBot did fix, as I now have access to TaskManager again. the latest popup is calling out TrojanDownloader.XS.
Scanned w/ Kaspersky web, it found 5? viruses infecting 15 items.
Thank you very much for any assistance you are able to render
blinks
here is my HJTLog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:18, on 2008-05-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wxudqfep.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209677410996
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 9135 bytes
and KASPERSKY Virus SCAN:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-01 08:28
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/04/2008
Kaspersky Anti-Virus database records: 733438
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
G:\
S:\
U:\
Scan Statistics:
Total number of scanned objects: 37264
Number of viruses found: 5
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:35:12
Infected Object Name / Virus Name / Last Action
C:\DMI\WIN32\MifDB\errors.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\d4ab084915cda0549b1a54085095fa40_05360b70-c85e-4979-a995-4d918337c65c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01092007-160109.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080430_Time-101615208_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080430_Time-101615208_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DEN1D02.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DEN1D02.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\uvglszqz\wdsnarwx.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ryusem\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\History\History.IE5\MSHist012008043020080501\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\House\Flooring.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\House\Upstairs Floor.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\11 Names of messiah.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\a-free-magic-ebook.zip Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\a.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Angelic name and orders.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\AstoundingDemo.exe Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Asturias.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Background.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Basic Leg on Shoulder Guard Pass.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Book2.xls Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\cardtricks.exe Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\cell%20plan.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\ConocoPhillips.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\D14.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Danny Magen.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Desktop.ini Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Enochian script.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\GMS_memory.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\High Altitude Martial Arts.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Irin.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Just a Touch of magic.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\kl.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\LKJ.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\MEMORY.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Mossad.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\My words.xls Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Mystery of Shambhala.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\OIL STOCK TO BUY.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\PHYS THER.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\PRELIMINARY PLANS.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\PRRFENTRY_form_200801.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\PRRF_Catalog_200801.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\RMHS_Membership_Application.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Rosh Hashanna.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\ryusem83Ways[1].pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\Cheap screen printing tutorial.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\Desktop.ini Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\Gaelic Judo.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\LKJ.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\LKJ2.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\sHIRT.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\TER.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Shirt\TER2.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Slowly digesting his stomach he reached over.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Story Climax.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Street tongue.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Sunday.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\tabs.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Taken from a friend.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Together they would tackle everything.doc Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\Vocab list.pdf Object is locked skipped
C:\Documents and Settings\ryusem\My Documents\Misc\~$gelic name and orders.doc Object is locked skipped
C:\Documents and Settings\ryusem\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ryusem\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\quarantine\Av-test.txt.Vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005645.exe Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005646.dll Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005648.dll Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005649.dll Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005668.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005687.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP2\A0006754.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP2\A0006755.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\A0007837.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\A0007838.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi blinky114
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
blinky114
2008-05-02, 19:42
Here is the rapport.txt
Thank you,
blinky114
SmitFraudFix v2.319
Scan done at 11:33:01.38, 2008-05-02
Run from C:\Documents and Settings\ryusem\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» U:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ryusem
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ryusem\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ryusem\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.141.228
DNS Server Search Order: 192.168.141.221
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A8161A1F-F2F7-40BC-83A9-60AEEED99A75}: DhcpNameServer=192.168.141.228 192.168.141.221
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A8161A1F-F2F7-40BC-83A9-60AEEED99A75}: DhcpNameServer=192.168.141.228 192.168.141.221
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A8161A1F-F2F7-40BC-83A9-60AEEED99A75}: DhcpNameServer=192.168.141.228 192.168.141.221
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.141.228 192.168.141.221
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.141.228 192.168.141.221
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.141.228 192.168.141.221
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hi
OK, nothing there.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
blinky114
2008-05-02, 20:22
Deckard's System Scanner v20071014.68
Run by ryusem on 2008-05-02 12:09:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
7: 2008-05-02 18:10:08 UTC - RP7 - Deckard's System Scanner Restore Point
6: 2008-05-01 21:57:03 UTC - RP6 - Software Distribution Service 3.0
5: 2008-05-01 21:50:11 UTC - RP5 - Software Distribution Service 3.0
4: 2008-04-30 12:38:26 UTC - RP4 - Software Distribution Service 3.0
3: 2008-04-29 19:38:33 UTC - RP3 - Installed Windows Media Format Runtime
-- First Restore Point --
1: 2008-04-26 15:59:57 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 383 MiB (512 MiB recommended).
-- HijackThis (run as ryusem.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\UltraVNC\winvnc.exe
C:\Documents and Settings\ryusem\Desktop\dss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\ryusem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209677410996
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 9353 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R1 omci - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 ActionAgent - c:\program files\dell\openmanage\client\actionagent.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DellDmi - c:\dmi\win32\bin\delldmi.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 DEventAgent - c:\program files\dell\openmanage\client\eventagt.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 DLT - c:\program files\dell\openmanage\client\dlt.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 Iap - c:\program files\dell\openmanage\client\iap.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 Win32Sl - c:\dmi\win32\bin\win32sl.exe <Not Verified; Intel; DMI 2.0s SDK>
S2 winvnc (VNC Server) - "c:\program files\ultravnc\winvnc.exe" -service <Not Verified; UltraVNC; UltraVNC>
S3 Cwbrxd (iSeries Access for Windows Remote Command) - c:\windows\cwbrxd.exe <Not Verified; IBM Corporation; IBM(R) iSeries (TM) Access for Windows>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&4F9938A&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&4F9938A&0
Service: i8042prt
-- Scheduled Tasks -------------------------------------------------------------
2008-05-02 06:18:01 260 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-01 16:12:02 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-01 10:57:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2008-04-02 and 2008-05-02 -----------------------------
2008-05-02 12:09:01 0 d-------- U:\Deckard
2008-05-02 11:33:20 2212 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-01 15:59:18 0 d-------- C:\WINDOWS\network diagnostic
2008-05-01 15:14:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-01 14:39:14 0 d-------- C:\WINDOWS\ERUNT
2008-05-01 10:07:58 110592 --a------ C:\WINDOWS\system32\wxudqfep.exe
2008-04-30 13:12:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 13:12:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 10:08:49 0 dr-h----- C:\Documents and Settings\ryusem\Recent
2008-04-29 09:19:15 68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 09:19:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 09:19:15 98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 09:19:15 80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 09:19:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 09:19:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 09:19:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 09:19:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 08:25:49 0 d-------- C:\Program Files\Trend Micro
2008-04-28 10:37:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 10:03:19 0 d--h----- C:\WINDOWS\PIF
2008-04-28 06:28:48 0 d-------- C:\Documents and Settings\ryusem\Application Data\TmpRecentIcons
2008-04-26 10:22:20 0 dr-h----- C:\Documents and Settings\KROBERTS\Recent
2008-04-26 08:43:00 0 d-------- C:\Documents and Settings\KROBERTS\Application Data\TmpRecentIcons
2008-04-26 07:00:25 0 d-------- C:\Documents and Settings\All Users\Application Data\uvglszqz
2008-04-18 07:30:53 1380 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
-- Find3M Report ---------------------------------------------------------------
2008-04-30 07:42:55 27888 --a----c- C:\Documents and Settings\ryusem\Application Data\GDIPFONTCACHEV1.DAT
2008-04-28 14:08:34 0 d-------- C:\Program Files\UltraVNC
2008-04-25 12:00:30 0 d-------- C:\Documents and Settings\ryusem\Application Data\Adobe
2008-04-18 06:30:43 0 d-------- C:\Program Files\Microsoft Silverlight
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2005-08-06 20:45]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 04:06]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"gtjcrnvp"="C:\WINDOWS\system32\gxolwpyj.exe" []
"vvygnutp"="C:\WINDOWS\system32\wxudqfep.exe" [2008-05-01 10:07]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
*Newly Created Service* - ENTDRV51
-- End of Deckard's System Scanner: finished at 2008-05-02 12:14:47 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 77%
Physical Memory (total/avail): 382.23 MiB / 86.16 MiB
Pagefile Memory (total/avail): 963.38 MiB / 322.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.3 MiB
A: is Removable (FAT)
C: is Fixed (NTFS) - 9.56 GiB total, 3.26 GiB free.
D: is CDROM (CDFS)
G: is Network (NTFS)
S: is Network (NTFS)
U: is Network (NTFS)
\\.\PHYSICALDRIVE0 - QUANTUM FIREBALLP AS10.2 - 9.57 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.56 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:UltraVNC Server"
"C:\\WINDOWS\\system32\\ping.exe"="C:\\WINDOWS\\system32\\ping.exe:*:Enabled:ping.exe"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe"="C:\\WINDOWS\\TIREMOTE\\TIRemoteService.exe:*:Enabled:Track-It! Workstation Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\UltraVNC\\winvnc.exe"="C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32"
"C:\\WINDOWS\\system32\\ping.exe"="C:\\WINDOWS\\system32\\ping.exe:*:Enabled:ping.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ryusem\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DEN1D02
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\den1dc\users\ryusem
LOGONSERVER=\\DEN1DC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\DMI\WIN32\BIN;C:\PROGRA~1\IBM\CLIENT~1;C:\PROGRA~1\IBM\CLIENT~1\Shared;C:\PROGRA~1\IBM\CLIENT~1\Emulator;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ryusem\LOCALS~1\Temp
TMP=C:\DOCUME~1\ryusem\LOCALS~1\Temp
USERDNSDOMAIN=BEALLCORP.NET
USERDOMAIN=BEALLCORP
USERNAME=ryusem
USERPROFILE=C:\Documents and Settings\ryusem
WIN32DMIPATH=C:\DMI\WIN32
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
KROBERTS (admin)
ryusem (admin)
deleteme (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\AFPViewr\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL10.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL11.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL12.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL13.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL14.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL15.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL16.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL17.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL2.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL3.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL4.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL45.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL5.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL6.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL7.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL8.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\DeIsL9.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL1.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\Client Access\Emulator\DeIsL2.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Amazing Windows XP Screen Saver 1.2 --> C:\WINDOWS\unins001.exe
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Dell OpenManage Client Instrumentation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0773A806-0853-4B4D-8771-55BEF03E242B}\Setup.exe" -l0x9 -f1C:\PROGRA~1\Dell\OPENMA~1\Client\uninst.iss
Free PS Convert driver 8.15 --> "C:\Program Files\psconvert\unins000.exe"
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IBM iSeries Access for Windows --> "C:\Program Files\IBM\Client Access\cwbinarp.exe"
Israel Radio Toolbar --> C:\PROGRA~1\ISRAEL~1\UNWISE.EXE C:\PROGRA~1\ISRAEL~1\INSTALL.LOG
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Mdu --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Mdu\ST6UNST.LOG"
Microsoft Office Sounds --> MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Move Networks Player for Internet Explorer --> "C:\Documents and Settings\kroberts\Application Data\Move Networks\ie_bin\unins000.exe"
Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NILE THEME --> MsiExec.exe /X{B19C841C-D60A-462F-AB86-4FDD51A77FA3}
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Ulead GIF Animator 5 TBYB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AF3E926-ED59-11D4-A44B-0000E86D2305}\Setup.exe" -l0x9
UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
-- Application Event Log -------------------------------------------------------
Event Record #/Type2095 / Warning
Event Submitted/Written: 05/02/2008 00:13:42 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DEN1D02 IP 192.168.131.34 user SYSTEM running VirusScan Enter 8.0 OAS)
Event Record #/Type2094 / Warning
Event Submitted/Written: 05/02/2008 00:13:42 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from DEN1D02 IP 192.168.131.34 user SYSTEM running VirusScan Enter 8.0 OAS)
Event Record #/Type2091 / Error
Event Submitted/Written: 05/02/2008 09:07:46 AM
Event ID/Source: 2001 / Microsoft Office 10
Event Description:
Rejected Safe Mode action : Microsoft Outlook.
Event Record #/Type2079 / Warning
Event Submitted/Written: 05/01/2008 04:06:02 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type2068 / Warning
Event Submitted/Written: 05/01/2008 03:21:39 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type60982 / Warning
Event Submitted/Written: 05/02/2008 11:35:57 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.
For more information please see the following:
%BEALLCORP275
Scan ID: {52455084-9B07-440C-8427-84F6E3CA9B16}
User: BEALLCORP\ryusem
Name: %BEALLCORP271
ID: %BEALLCORP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BEALLCORP276
Alert Type: %BEALLCORP278
Detection Type: 1.1.1593.02
Event Record #/Type60981 / Warning
Event Submitted/Written: 05/02/2008 11:35:57 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.
For more information please see the following:
%BEALLCORP275
Scan ID: {72010C38-44E5-4F4F-BF7F-61B54B776A6A}
User: BEALLCORP\ryusem
Name: %BEALLCORP271
ID: %BEALLCORP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BEALLCORP276
Alert Type: %BEALLCORP278
Detection Type: 1.1.1593.02
Event Record #/Type60980 / Warning
Event Submitted/Written: 05/02/2008 11:35:57 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.
For more information please see the following:
%BEALLCORP275
Scan ID: {355BAD1B-B840-4AD5-B1F7-57856421BB23}
User: BEALLCORP\ryusem
Name: %BEALLCORP271
ID: %BEALLCORP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BEALLCORP276
Alert Type: %BEALLCORP278
Detection Type: 1.1.1593.02
Event Record #/Type60979 / Warning
Event Submitted/Written: 05/02/2008 11:35:56 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.
For more information please see the following:
%BEALLCORP275
Scan ID: {AFEA53E3-03F0-4864-8DD7-94449A53A755}
User: BEALLCORP\ryusem
Name: %BEALLCORP271
ID: %BEALLCORP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BEALLCORP276
Alert Type: %BEALLCORP278
Detection Type: 1.1.1593.02
Event Record #/Type60978 / Warning
Event Submitted/Written: 05/02/2008 11:35:56 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%BEALLCORP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %BEALLCORP27 can't undo changes that you allow.
For more information please see the following:
%BEALLCORP275
Scan ID: {84B6C791-52D0-49CF-84CA-BCB57547D805}
User: BEALLCORP\ryusem
Name: %BEALLCORP271
ID: %BEALLCORP272
Severity: 1.1.1593.05
Category: 1.1.1593.06
Path Found: %BEALLCORP276
Alert Type: %BEALLCORP278
Detection Type: 1.1.1593.02
-- End of Deckard's System Scanner: finished at 2008-05-02 12:14:47 ------------
Hi
Open HijackThis, click do a system scan only and checkmark these:
O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
Close all windows including browser and press fix checked.
Reboot.
Delete these:
C:\WINDOWS\system32\gxolwpyj.exe
C:\WINDOWS\system32\wxudqfep.exe
C:\Documents and Settings\All Users\Application Data\uvglszqz
Empty Recycle Bin.
Post back a fresh HijackThis log.
blinky114
2008-05-05, 17:22
Hi Shaba - Here is the new HJT Logfile. I see that the same items are still here.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:18, on 2008-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209677410996
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 9189 bytes
Hi
Yes, they are.
Windows Defender
1. Click on "Tools"
2. Click on "General Settings"
3. Scroll down to "Real-time protection options"
4. Uncheck "Turn on Real-time protection (recommended)"
5. Click "Save"
Open HijackThis, click do a system scan only and checkmark these:
O3 - Toolbar: (no name) - {C71F6A92-8438-46A4-9237-15A1F1AF179D} - (no file)
O4 - HKCU\..\Run: [gtjcrnvp] C:\WINDOWS\system32\gxolwpyj.exe
O4 - HKCU\..\Run: [vvygnutp] C:\WINDOWS\system32\wxudqfep.exe
Close all windows including browser and press fix checked.
Reboot.
Re-run dss.
Post a fresh dss log (main.txt)
blinky114
2008-05-05, 18:12
Shaba,
removed WinDfndr 'real-time protection'
deleted other keys (checked fix in HJT)
rebooted
dss log below - thank you, blinkks
Deckard's System Scanner v20071014.68
Run by ryusem on 2008-05-05 10:07:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Percentage of Memory in Use: 91% (more than 75%).
Total Physical Memory: 383 MiB (512 MiB recommended).
-- HijackThis (run as ryusem.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08, on 2008-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Documents and Settings\ryusem\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ryusem.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209677410996
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 8933 bytes
-- Files created between 2008-04-05 and 2008-05-05 -----------------------------
2008-05-02 12:09:01 0 d-------- U:\Deckard
2008-05-02 11:33:20 2212 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-01 15:59:18 0 d-------- C:\WINDOWS\network diagnostic
2008-05-01 15:14:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-01 14:39:14 0 d-------- C:\WINDOWS\ERUNT
2008-04-30 13:12:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 13:12:31 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 10:08:49 0 dr-h----- C:\Documents and Settings\ryusem\Recent
2008-04-29 09:19:15 68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 09:19:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 09:19:15 98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 09:19:15 80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 09:19:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 09:19:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 09:19:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 09:19:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 08:25:49 0 d-------- C:\Program Files\Trend Micro
2008-04-28 10:37:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 10:03:19 0 d--h----- C:\WINDOWS\PIF
2008-04-28 06:28:48 0 d-------- C:\Documents and Settings\ryusem\Application Data\TmpRecentIcons
2008-04-26 10:22:20 0 dr-h----- C:\Documents and Settings\KROBERTS\Recent
2008-04-26 08:43:00 0 d-------- C:\Documents and Settings\KROBERTS\Application Data\TmpRecentIcons
2008-04-18 07:30:53 1380 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
-- Find3M Report ---------------------------------------------------------------
2008-04-30 07:42:55 27888 --a----c- C:\Documents and Settings\ryusem\Application Data\GDIPFONTCACHEV1.DAT
2008-04-28 14:08:34 0 d-------- C:\Program Files\UltraVNC
2008-04-25 12:00:30 0 d-------- C:\Documents and Settings\ryusem\Application Data\Adobe
2008-04-18 06:30:43 0 d-------- C:\Program Files\Microsoft Silverlight
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinVNC"="C:\Program Files\UltraVNC\WinVNC.exe" [2005-08-06 20:45]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 04:06]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
-- End of Deckard's System Scanner: finished at 2008-05-05 10:09:01 ------------
Hi
Great, now there are gone :)
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
blinky114
2008-05-06, 17:23
Shaba - thanks for your help, as requested :)
blinky
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:21, on 2008-05-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\dmi\win32\bin\Win32sl.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotsheet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.141.231:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Israel Radio Toolbar - {5dc2c36d-747c-4fee-8bc3-e86c21981440} - C:\Program Files\Israel_Radio\tbIsr1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209677410996
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\Software\..\Telephony: DomainName = BEALLCORP.NET
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BEALLCORP.NET
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 9399 bytes
Kaspersky Scan Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-06 09:18
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742239
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
U:\
Scan Statistics:
Total number of scanned objects: 38633
Number of viruses found: 6
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 02:35:35
Infected Object Name / Virus Name / Last Action
C:\DMI\WIN32\MifDB\errors.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\d4ab084915cda0549b1a54085095fa40_05360b70-c85e-4979-a995-4d918337c65c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01092007-160109.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080506_Time-062949895_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080506_Time-062949895_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_DEN1D02.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_DEN1D02.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\EmailOnDeliveryLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ryusem\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\ryusem\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\ryusem\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\ryusem\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~DF11D7.tmp Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~DF120D.tmp Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~DF16B9.tmp Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~DF9B7B.tmp Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~DF9B88.tmp Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~WRD0001.doc Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temp\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\ryusem\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ryusem\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ryusem\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\quarantine\Av-test.txt.Vir Object is locked skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005645.exe Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005648.dll Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005649.dll Infected: Trojan.Win32.Vapsup.elk skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005668.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP1\A0005687.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP2\A0006754.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP2\A0006755.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\A0007837.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP4\A0007838.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP7\A0010426.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP7\A0010427.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{525A8A03-7DB2-47CF-BDFF-07AEA779E4EC}\RP8\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{847FBD1D-BDB6-4728-995A-0158DC7A53F4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
U:\Deckard\System Scanner\20080505100720\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
Scan process completed.
Hi
Empty this folder:
C:\QooBox\Quarantine\
Empty Recycle Bin.
Still problems?
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.