PDA

View Full Version : Need help to remove malware!



spiderroll
2008-05-20, 05:14
Hi,

I have gotten some malware/spyware(s). I am assuming not virus because Norton Antivirus didn't catch it at all. The infection has mostly damaged the registry setting so bad that it seemed even trying to disabled many of the basic tools I use for detecting them.

The malware/spyware:
1. Made google, msn search result false links to many other sites.
2. Prevents me to visit many of the antispyware provider's websites, including this forum, S&D website, Kaspersky ( I can't do the scan because of it), and many others.
3. I can't visit Microsoft MSDN site. It always redirect back to my localhost. It also prevented me from downloading Defender from Microsoft.
4. My notepad can no longer save file to the right encoding. It seemt to save files to Unicode but then does not display correctly.
5. Disabled Taskmanager.

I have downloaded Spybot scanner from a different computer and did a full scan. It cleaned up some registries and cookies, but the problem didn't go away. I also tried PC Tools Spyware doctor, Ad-Aware, and the Defender. Nothing can remove this worm or whatever it is!

Since I can't even visit Kaspersky site, can only provide the log from HijackThis. Please help. Thank you.


=======================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:21 PM, on 5/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\download\security\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [Apoint] ;;C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] ;;"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] ;;"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\\BacsTray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] ;;C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02A08EC5-C341-4BE5-AD4F-62215D2407EF} (ApplicationSharing Class) - https://wip3.webdialogs.com/components/WDATL70.CAB
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-8.ilinc.com/download/ilinci80.dll
O16 - DPF: {03A89EFD-E023-8500-A22D-45F77558EB4C} (ILINCInstall85 Class) - https://content.ilinc.com/clientdownload/download/ilinci85.dll
O16 - DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} (ILINCInstall86 Class) - https://content.ilinc.com/clientdownload/download/ilinci86.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {098A3F72-3110-4004-B954-2F9DC44934B4} (AddSHCARoot Control) - http://211.160.79.7:8080/corp/cab/AddSHCARootCert.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {58D5690D-55A6-4B0B-B735-D0C82E14700C} (ApplicationSharing Class) - https://wip3.webdialogs.com/components/WDATL72.CAB
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=29983&sessionid=2104010629_69.25.47.95_39928&=&req=1185332597254OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133723882194
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/perbank/AXSafeControls.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F876800A-608B-4696-9AD6-1E7F558418DD} (WebEduCtl Class) - http://211.160.79.7:8080/corp/cab/WebEduControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceENDIVADB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)
O23 - Service: WLANKEEPER - IntelR Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 16152 bytes

shelf life
2008-05-26, 16:32
hi,

sounds like you have more than malware problems. see if you can get a copy of sdfix on there to run. its 1.4MB, will fit on a usb flash drive. need to run it in safe mode. you are running a web server?

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

spiderroll
2008-05-28, 01:19
Hi,

I am so glad that I finally got some help. I really appreciate your reply and instructions. I have downloaded, executed nd finished the SDFix in Safe Mode which generated the Report.txt as shown below. I also generated a new HijackThis log following the SDFix log.

Thanks again. (I totally regret the decision I made before I put my finger on that mouse click...)


======================================================
Start of SDFix Report.txt
======================================================

SDFix: Version 1.186
Run by wwu on 05/27/2008 Tue at 04:07 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 16:47:31
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth ph_赩
"Driver"="bthcrp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Bluetooth ph_赩
"Driver"="bthcrp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbdll.dll 31560 bytes executable
C:\WINDOWS\system32\clbinit.dll 1695 bytes
C:\WINDOWS\system32\clbcatex.dll 110592 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll 110592 bytes executable
C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll 498688 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll 498688 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\clbcatex.dll 110592 bytes executable
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\clbcatq.dll 498688 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 41023 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 15


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\D-Link\\D-Link Wireless LAN AP Manager\\APC.exe"="C:\\Program Files\\D-Link\\D-Link Wireless LAN AP Manager\\APC.exe:*:Enabled:APCenter Wireless LAN Management System"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\RAIDar\\RAIDar.exe"="C:\\Program Files\\RAIDar\\RAIDar.exe:*:Enabled:RAIDar"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Documents and Settings\\Wayne Wu\\Local Settings\\Temp\\occ.exe"="C:\\Documents and Settings\\Wayne Wu\\Local Settings\\Temp\\occ.exe:*:Enabled:OneCC Module"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\MSSOAP\\Binaries\\MsSoapT3.exe"="C:\\Program Files\\MSSOAP\\Binaries\\MsSoapT3.exe:*:Enabled:Microsoft Soap Toolkit 3.0 Trace Tool"
"C:\\Program Files\\WebAVD\\BIZ\\EduApp.exe"="C:\\Program Files\\WebAVD\\BIZ\\EduApp.exe:*:Enabled:EduApp"
"C:\\Program Files\\Oracle\\jre\\1.3.1\\bin\\java.exe"="C:\\Program Files\\Oracle\\jre\\1.3.1\\bin\\java.exe:*:Enabled:java"
"C:\\Documents and Settings\\Wayne Wu\\Local Settings\\Temp\\OraInstall2007-10-23_12-13-18PM\\jre\\bin\\javaw.exe"="C:\\Documents and Settings\\Wayne Wu\\Local Settings\\Temp\\OraInstall2007-10-23_12-13-18PM\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:WindowsR NetMeetingR"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\WebAVD\\CallCenter\\888\\CCApp.exe"="C:\\Program Files\\WebAVD\\CallCenter\\888\\CCApp.exe:*:Enabled:CCApp Module"
"C:\\Program Files\\WebAVD\\ReceptionRoom\\888\\ReceptionRoom.exe"="C:\\Program Files\\WebAVD\\ReceptionRoom\\888\\ReceptionRoom.exe:*:Enabled:ReceptionRoom Module"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Documents and Settings\\Wayne Wu\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Wayne Wu\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 15 Nov 2005 56 ..SHR --- "C:\WINDOWS\system32\2A334528B0.sys"
Tue 15 Nov 2005 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 28 Jan 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 12 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 21 Dec 2007 873,704 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\ar00000\install.exe"
Fri 21 Dec 2007 6,157,296 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\in00000\setup.exe"
Fri 21 Dec 2007 873,704 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 21 Dec 2007 6,157,296 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\Upgrade\setup1.exe"
Sat 28 Jan 2006 4,348 ...H. --- "C:\Documents and Settings\Wayne Wu\My Documents\My Music\License Backup\drmv1key.bak"
Sat 28 Jan 2006 20 A..H. --- "C:\Documents and Settings\Wayne Wu\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 28 Jan 2006 400 A.SH. --- "C:\Documents and Settings\Wayne Wu\My Documents\My Music\License Backup\drmv2key.bak"
Tue 30 Sep 2003 46,080 A..H. --- "C:\Operations\ENDIVA USA\Clients\tccgw\TCCGW Letters\~WRL3363.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Wed 20 Feb 2008 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!


======================================================
End of SDFix Report.txt
======================================================


#################################################
Start of New HijackThis Log
#################################################

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:04 PM, on 5/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\BIN\TNSLSNR.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\download\security\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [Apoint] ;;C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] ;;"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] ;;"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\\BacsTray.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] ;;C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02A08EC5-C341-4BE5-AD4F-62215D2407EF} (ApplicationSharing Class) - https://wip3.webdialogs.com/components/WDATL70.CAB
O16 - DPF: {03A89EFD-E023-8000-A22D-45F77558EB4C} (ILINCInstall80 Class) - https://lm-learnlinc-8.ilinc.com/download/ilinci80.dll
O16 - DPF: {03A89EFD-E023-8500-A22D-45F77558EB4C} (ILINCInstall85 Class) - https://content.ilinc.com/clientdownload/download/ilinci85.dll
O16 - DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} (ILINCInstall86 Class) - https://content.ilinc.com/clientdownload/download/ilinci86.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {098A3F72-3110-4004-B954-2F9DC44934B4} (AddSHCARoot Control) - http://211.160.79.7:8080/corp/cab/AddSHCARootCert.cab
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {58D5690D-55A6-4B0B-B735-D0C82E14700C} - https://wip3.webdialogs.com/components/WDATL72.CAB
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=f54081b9c321c366d532e8c448d51ca5&url=http%3A%2F%2Fd.69.25.47.35.downloads.estara.com.%2Fas%2FOneCCDM.php&template=29983&sessionid=2104010629_69.25.47.95_39928&=&req=1185332597254OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133723882194
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://b2c.icbc.com.cn/icbc/perbank/AXSafeControls.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F876800A-608B-4696-9AD6-1E7F558418DD} (WebEduCtl Class) - http://211.160.79.7:8080/corp/cab/WebEduControl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceENDIVADB - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)
O23 - Service: WLANKEEPER - IntelR Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 15471 bytes

shelf life
2008-05-28, 03:40
hi,

looks like a possible rootkit. i would use the computer as little as possible and pull the plug on the modem/router when not in use. dont do anything financial or involving personal data

thanks for the info, lets get a copy of malwarebytes on there:
i would run it twice just for the heck of it.

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

post the malwarebytes log please.

spiderroll
2008-05-28, 03:54
Hi,

Thanks for the fast reply. I have downloaded the mbam-setup program, but it wouldn't run. After double-clicking the program from desktop, is shows the hourglass for a couple of seconds and then nothing happpens. I wonder why... Please advise.

By the way, just to keep you noted, malwarebytes website is also not accessible from my infected computer. I had to use a different computer to download the program.

Thanks.

shelf life
2008-05-28, 04:09
hi,



malwarebytes website is also not accessible from my infected computer.
you can get this to try and reset the host file:

Download the Hoster from here:>>http://www.members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
reboot computer and see if you can get to sites that were blocked before:
--------------
see if you can get copy of SAS:
Please download SUPERAntiSpyware Home Edition:

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:

* After reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.

post the SAS log please.

spiderroll
2008-05-28, 05:03
For some reason, the other computer also can't not download hoster.zip. But instead of giving me HTTP 403 error, the IE popped up a message: "Internet Explorer cannot download hoster.zip from www.members.aol.com. Internet Explorer was not able to open this Internet site. The request site is either unavailable or cannot be found. Please try again."

I tried http://www.members.aol.com/toadbee/ which will display a page. It seems may be the hoster.zip file no longer exists.

So I download the super anti-spyware using the other computer instead. When I accepted to update definitions during the installation of super anti-spyware, it returned an error "There was an error trying to retrieve definition.." So I went ahead to do a scan anyway. Then it gave the blue screen. Any ideas?... thanks.

shelf life
2008-05-28, 05:29
i checked the link, worked ok.
http://www.members.aol.com/toadbee/hoster.zip

forget all that see if you can get a copy of gmer on there:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit/Malware tab and click the Scan button.

Please, do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

you should know that the general advice for rootkit activity is a reformat/reinstall of windows. once its been compromised by a rootkit it can no longer be trusted.

spiderroll
2008-05-28, 05:39
Sorry, I needed to ask this: What is a rootkit anyway? Is my computer infected by it?

shelf life
2008-05-28, 05:43
its possible you might have one cant say for sure-- gmer app will hopefully confirm that. a rookit is a set of tools that can hide from the regular AV/malware apps.

http://en.wikipedia.org/wiki/Rootkit

spiderroll
2008-05-28, 06:20
Hi,

Thanks for the educational link. I think I do have rootkit activity in my computer. Below is the result from the scan.

====================================

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-27 23:18:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB74F4F20]

Code E1DC7F20 ZwEnumerateKey
Code E1DBE6C6 ZwQueryDirectoryFile
Code E1DBE6C5 NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP E1DC7F24
PAGE ntoskrnl.exe!NtQueryDirectoryFile 80572111 5 Bytes JMP E1DBE6CA

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \Fat B30DAD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Modules - GMER 1.0.14 ----

Module \??\globalroot\systemroot\system32\drivers\clbdriver.sys (*** hidden *** ) F7777000-F777C000 (20480 bytes)
---- Processes - GMER 1.0.14 ----

Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [172] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [220] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [280] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [288] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [444] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [520] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Digital Line Detect\DLG.exe [584] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [704] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [732] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\RAdmin\Radmin.exe [984] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1208] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1296] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1328] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [1556] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1604] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1720] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\inetsrv\inetinfo.exe [1808] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [1872] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [1912] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Windows Defender\MsMpEng.exe [1916] 0x76FD0000
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1964] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [2164] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe [2220] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe [2284] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe [2592] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2672] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [2696] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [2740] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2968] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3004] 0x76FD0000
Library C:\WINDOWS\System32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3068] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3396] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\PROGRA~1\MI4F93~1\webtool.exe [3460] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [3624] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Windows Media Player\WMPNetwk.exe [3820] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe [3972] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe [4072] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Broadcom\BACS\BacsTray.exe [4124] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Dell Support Center\bin\sprtcmd.exe [4228] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [4524] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Windows Defender\MSASCui.exe [4640] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe [4704] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Skype\Phone\Skype.exe [4728] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe [4796] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\DellSupport\DSAgnt.exe [4804] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe [4832] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [4936] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Skype\Plugin Manager\skypePM.exe [4952] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [4960] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\download\security\gmer.exe [4968] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe [4996] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Dell\QuickSet\quickset.exe [5212] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [5280] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [5424] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5432] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [5488] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [5524] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\WINDOWS\system32\mdm.exe [6012] 0x76FD0000
Library C:\WINDOWS\system32\CLBCATQ.DLL (*** hidden *** ) @ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe [6040] 0x76FD0000

---- Services - GMER 1.0.14 ----

Service globalroot\systemroot\system32\drivers\clbdriver.sys (*** hidden *** ) [SYSTEM] clbdriver <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth
Reg HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth @Driver bthcrp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clbdriver@imagepath \??\globalroot\systemroot\system32\drivers\clbdriver.sys
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll@1 0xB6 0x00 0xB6 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll@1 0xCF 0x24 0x2A 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll@0 0x2A 0x00 0x3E 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll@1 0x6A 0xB7 0x9D 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Control\Print\Monitors\Bluetooth
Reg HKLM\SYSTEM\ControlSet002\Control\Print\Monitors\Bluetooth @Driver bthcrp.dll
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver.sys
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver.sys@ driver
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver.sys
Reg HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver.sys@ driver
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\clbdriver@imagepath \??\globalroot\systemroot\system32\drivers\clbdriver.sys

---- Files - GMER 1.0.14 ----

File C:\i386\clb.dll 10752 bytes
File C:\i386\clbcatex.dll 110080 bytes
File C:\i386\clbcatq.dll 498688 bytes
File C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes
File C:\WINDOWS\system32\clbcatq.dll 498688 bytes
File C:\WINDOWS\system32\clbdll.dll 31560 bytes
File C:\WINDOWS\system32\clbinit.dll 1695 bytes
File C:\WINDOWS\system32\clbcatex.dll 110592 bytes
File C:\WINDOWS\system32\clb.dll 10752 bytes
File C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll 110592 bytes
File C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll 498688 bytes
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes
File C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes
File C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll 110080 bytes
File C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll 498688 bytes
File C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\clbcatex.dll 110592 bytes
File C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\clbcatq.dll 498688 bytes
File C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 41023 bytes

---- EOF - GMER 1.0.14 ----

shelf life
2008-05-28, 12:58
hi,
ok thanks for the info. yes looks like you have a rootkit. lets do this in combofix, remove it that is. so one more download to get. we will use it to clean up the rootkit driver and .dlls

Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" in next reply

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

spiderroll
2008-05-28, 18:19
Hi,
Thanks for the update. I have downloaded the combofix.exe but it wouldn't execute just like the other tool (MalwareBytes). Is there a reason why the combofix wouldn't run? It looks like this rootkit has a lot of defensive mechanism against removals. I look forward to your new instructions. Thanks.

spiderroll
2008-05-28, 19:49
Hi,
Interestingly, I didn't expect this old trick would work, but I managed to run the combofix by renaming the extension from .exe to .com. Below is the log created by combofix.


=========================================================

ComboFix 08-05-27.4 - wwu 2008-05-28 11:56:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.1179 [GMT -4:00]
Running from: C:\Documents and Settings\Wayne Wu\Desktop\ComboFix.com
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\W?nSxS\
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-27 22:52 . 2008-05-27 22:52 250 --a------ C:\WINDOWS\gmer.ini
2008-05-27 21:25 . 2008-05-27 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-27 21:24 . 2008-05-27 21:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-27 21:24 . 2008-05-27 21:24 <DIR> d-------- C:\Documents and Settings\Wayne Wu\Application Data\SUPERAntiSpyware.com
2008-05-27 21:23 . 2008-05-27 21:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-27 15:38 . 2008-05-27 15:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 15:07 . 2008-05-27 16:55 <DIR> d-------- C:\SDFix
2008-05-27 13:47 . 2008-05-27 13:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 13:47 . 2008-05-27 13:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-27 12:52 . 2008-05-27 13:00 <DIR> d-------- C:\New Folder
2008-05-19 13:32 . 2008-05-19 13:32 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-19 01:03 . 2008-05-19 01:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-18 20:33 . 2004-08-04 06:00 187,938 --a------ C:\WINDOWS\system32\dllcache\c_20005.nls
2008-05-18 20:33 . 2004-08-04 06:00 187,938 --a------ C:\WINDOWS\system32\c_20005.nls
2008-05-18 20:33 . 2004-08-04 06:00 180,258 --a------ C:\WINDOWS\system32\dllcache\c_20004.nls
2008-05-18 20:33 . 2004-08-04 06:00 180,258 --a------ C:\WINDOWS\system32\c_20004.nls
2008-05-18 03:13 . 2008-05-18 03:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-18 00:17 . 2008-05-18 00:17 7,680 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-05-18 00:12 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-17 01:49 . 2008-05-17 01:49 0 --a------ C:\WINDOWS\tosOBEX.INI
2008-05-17 01:11 . 2007-04-24 13:20 113,920 --a------ C:\WINDOWS\system32\drivers\tosrfbd.sys
2008-05-17 01:11 . 2007-03-01 16:53 73,728 --a------ C:\WINDOWS\system32\drivers\Tosrfhid.sys
2008-05-17 01:11 . 2007-05-24 14:27 64,000 --a------ C:\WINDOWS\system32\drivers\tosrfcom.sys
2008-05-17 01:11 . 2007-01-22 10:43 53,376 --a------ C:\WINDOWS\system32\drivers\TosRfSnd.sys
2008-05-17 01:11 . 2007-06-11 14:25 41,856 --a------ C:\WINDOWS\system32\drivers\tosrfusb.sys
2008-05-17 01:11 . 2006-10-10 19:33 41,600 --a------ C:\WINDOWS\system32\drivers\tosporte.sys
2008-05-17 01:11 . 2006-11-20 17:55 36,480 --a------ C:\WINDOWS\system32\drivers\tosrfbnp.sys
2008-05-17 01:11 . 2005-01-07 05:42 18,612 --a------ C:\WINDOWS\system32\drivers\tosrfnds.sys
2008-05-17 01:10 . 2008-05-17 01:10 <DIR> d-------- C:\Program Files\Toshiba
2008-05-16 05:17 . 2008-05-16 05:17 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-16 05:17 . 2008-05-16 05:17 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-16 05:17 . 2008-05-16 05:17 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-16 05:17 . 2008-05-16 05:17 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-16 05:09 . 2008-05-16 05:09 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-16 03:46 . 2004-08-03 22:41 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2008-05-16 03:45 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-05-16 03:44 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-05-16 03:44 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-05-16 03:44 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-05-16 03:44 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-05-16 03:44 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-05-16 03:44 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-05-16 03:44 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-05-16 03:44 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-05-16 03:44 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-05-16 03:44 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-05-16 03:42 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-05-16 03:42 . 2008-04-13 20:11 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-05-16 03:42 . 2008-04-13 20:11 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-05-16 03:42 . 2008-04-13 20:11 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-05-16 03:42 . 2008-04-13 20:11 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-05-16 03:42 . 2008-04-13 20:11 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-05-16 03:42 . 2008-04-13 20:11 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-05-16 03:42 . 2008-04-13 20:11 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-05-11 02:03 . 2008-05-11 15:33 <DIR> d-------- C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp
2008-05-11 02:03 . 2008-04-13 14:45 60,032 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys
2008-05-11 02:02 . 2008-04-13 14:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-10 16:39 . 2008-05-10 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-05-07 15:05 . 2004-04-04 00:41 197,648 --a------ C:\WINDOWS\system\unidrv.dll
2008-05-07 15:05 . 2004-04-04 00:41 77,712 --a------ C:\WINDOWS\system\iconlib.dll
2008-05-07 15:05 . 2004-04-04 00:41 20,416 --a------ C:\WINDOWS\system\SMPRNDRV.drv
2008-05-07 15:05 . 2004-04-04 00:41 18,272 --a------ C:\WINDOWS\system\dmcolor.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-28 05:07 --------- d-----w C:\Documents and Settings\Wayne Wu\Application Data\Skype
2008-05-28 02:07 --------- d-----w C:\Documents and Settings\Wayne Wu\Application Data\skypePM
2008-05-27 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-27 04:48 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-22 20:34 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-05-21 03:09 --------- d-----w C:\Documents and Settings\Wayne Wu\Application Data\Lavasoft
2008-05-19 17:58 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-05-19 06:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-16 16:50 0 ----a-w C:\Documents and Settings\Wayne Wu\wwu_notes.dat
2008-05-07 19:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-07 19:05 --------- d-----w C:\Program Files\WebAVD
2008-05-07 03:47 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-27 00:03 --------- d-----w C:\Documents and Settings\Wayne Wu\Application Data\CDBurnerXP_Soft
2008-04-27 00:02 --------- d-----w C:\Program Files\CDBurnerXP
2008-04-15 19:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 25,471 ------w C:\WINDOWS\system32\drivers\atv04nt5.dll
2008-04-14 00:11 21,183 ------w C:\WINDOWS\system32\drivers\atv01nt5.dll
2008-04-14 00:11 17,279 ------w C:\WINDOWS\system32\drivers\atv10nt5.dll
2008-04-14 00:11 15,423 ------w C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-04-14 00:11 14,143 ------w C:\WINDOWS\system32\drivers\atv06nt5.dll
2008-04-14 00:11 11,359 ------w C:\WINDOWS\system32\drivers\atv02nt5.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2005-11-15 23:15 56 --sh--r C:\WINDOWS\system32\2A334528B0.sys
2005-11-15 23:15 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25 94208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]
"cdloader"="C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\cdloader2.exe" [2007-12-21 10:39 50520]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 12:43 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"=";;C:\Program Files\Apoint\Apoint.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05 339968]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 12:26 606208]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-24 13:58 98304]
"ISUSPM Startup"=";;C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ISUSScheduler"=";;C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02 86016]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 03:21 90112]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 06:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 06:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 06:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-09 15:14 180269]
"bacstray"="C:\Program Files\Broadcom\BACS\\BacsTray.exe" [2004-08-18 13:26 118784]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 19:57 16384]
"Samsung PanelMgr"=";;C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe" [ ]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 19:56 202544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-11-03 16:32:23 82026]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-03 16:25:10 113664]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-08-02 19:41:52 2760704]
Bluetooth.lnk - C:\Program Files\ANYCOM\Blue USB-200-250\BTTray.exe [2007-08-03 09:59:10 572008]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-24 13:51:51 24576]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-11-03 17:00:40 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\D-Link\\D-Link Wireless LAN AP Manager\\APC.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\RAIDar\\RAIDar.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSSOAP\\Binaries\\MsSoapT3.exe"=
"C:\\Program Files\\WebAVD\\BIZ\\EduApp.exe"=
"C:\\Program Files\\Oracle\\jre\\1.3.1\\bin\\java.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Documents and Settings\\Wayne Wu\\Application Data\\mjusbsp\\magicJack.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5600:TCP"= 5600:TCP:Neweb NPC
"5601:TCP"= 5601:TCP:Neweb NPC 5601
"5602:TCP"= 5602:TCP:Neweb NPC 5602

R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2007-03-03 23:12]
R2 msftesql$SQL2K5;SQL Server FullText Search (SQL2K5);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQL2K5 []
R2 MSOLAP$SQL2K5;SQL Server Analysis Services (SQL2K5);"C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config" []
R2 MSSQL$SQL2K5;SQL Server (SQL2K5);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQL2K5 []
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R2 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
R2 ReportServer$SQL2K5;SQL Server Reporting Services (SQL2K5);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-03 23:09]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-10-09 19:56]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-25 21:55]
R2 WebTool;WebTool;C:\PROGRA~1\MI4F93~1\webtool.exe [2000-02-04 17:53]
S2 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S2 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 OracleServiceENDIVADB;OracleServiceENDIVADB;c:\oracle\ora92\bin\ORACLE.EXE ENDIVADB []
S3 PCMCIA_WIRELESS_MODEM;PCMCIA_WIRELESS_MODEM;C:\WINDOWS\system32\DRIVERS\pcmciadrv.sys [2004-06-07 16:38]
S3 SQLAgent$SQL2K5;SQL Server Agent (SQL2K5);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i SQL2K5 []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2689b463-0e60-11dc-a53d-0013ce53fd5d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e95f4f50-1f1f-11dd-a7ed-0013ce53fd5d}]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\phone\command - F:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 16:22:13 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 12:21:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQL2K5]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2K5"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\PROGRA~1\MI6841~1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\bin\TNSLSNR.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
.
**************************************************************************
.
Completion time: 2008-05-28 12:34:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-28 16:34:40

Pre-Run: 6,426,968,064 bytes free
Post-Run: 6,260,207,616 bytes free

371 --- E O F --- 2008-05-28 06:19:03

shelf life
2008-05-29, 01:35
hi,

ok good. and look what it removed: your rootkit tools. rename the malwarebytes extension and see if it will install. if so update it and run it and post the log. see couple replies earlier.

spiderroll
2008-05-29, 05:17
Hi,

I guess after rootkit tool was removed, the system no longer contain process to resist Malwarebytes setup. The update and the scan were successfull ran. Below is the log from the scan. Please advise. Thanks.


========================================================


Malwarebytes' Anti-Malware 1.12
Database version: 795

Scan type: Full Scan (C:\|)
Objects scanned: 289532
Time elapsed: 2 hour(s), 0 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123894.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123895.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123897.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123898.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123903.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0123955.scr (Trojan.Agent) -> Quarantined and deleted successfully.

shelf life
2008-05-29, 06:08
hi,

good. looks like the problems were caused by the rootkit. please run sdfix once more and post the log. i think i remember seeing you had superantispyware (SAS) also? update and scan with that. you can post that log also like this:

To retrieve the removal information - please do the following:

* After reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.

Now please paste the removal information log, If it's a large log, you may need several replies to post it.

if all looks good we can finish up.

spiderroll
2008-05-29, 17:54
Hi,
Yes :), looks like the rootkit has been removed, too. Below are the new SDFix log and SAS log for your review. Thanks!

=============================================
Start of SDFix log
=============================================


SDFix: Version 1.186
Run by wwu on 05/29/2008 Thu at 12:24 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 01:44:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth ph_赩
"Driver"="bthcrp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Bluetooth ph_赩
"Driver"="bthcrp.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\D-Link\\D-Link Wireless LAN AP Manager\\APC.exe"="C:\\Program Files\\D-Link\\D-Link Wireless LAN AP Manager\\APC.exe:*:Enabled:APCenter Wireless LAN Management System"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\RAIDar\\RAIDar.exe"="C:\\Program Files\\RAIDar\\RAIDar.exe:*:Enabled:RAIDar"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\MSSOAP\\Binaries\\MsSoapT3.exe"="C:\\Program Files\\MSSOAP\\Binaries\\MsSoapT3.exe:*:Enabled:Microsoft Soap Toolkit 3.0 Trace Tool"
"C:\\Program Files\\WebAVD\\BIZ\\EduApp.exe"="C:\\Program Files\\WebAVD\\BIZ\\EduApp.exe:*:Enabled:EduApp"
"C:\\Program Files\\Oracle\\jre\\1.3.1\\bin\\java.exe"="C:\\Program Files\\Oracle\\jre\\1.3.1\\bin\\java.exe:*:Enabled:java"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:WindowsR NetMeetingR"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Documents and Settings\\Wayne Wu\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Wayne Wu\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 15 Nov 2005 56 ..SHR --- "C:\WINDOWS\system32\2A334528B0.sys"
Tue 15 Nov 2005 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 28 Jan 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 12 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 21 Dec 2007 873,704 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\ar00000\install.exe"
Fri 21 Dec 2007 6,157,296 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\in00000\setup.exe"
Fri 21 Dec 2007 873,704 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 21 Dec 2007 6,157,296 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\mjusbsp\Upgrade\setup1.exe"
Sat 28 Jan 2006 4,348 ...H. --- "C:\Documents and Settings\Wayne Wu\My Documents\My Music\License Backup\drmv1key.bak"
Sat 28 Jan 2006 20 A..H. --- "C:\Documents and Settings\Wayne Wu\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 28 Jan 2006 400 A.SH. --- "C:\Documents and Settings\Wayne Wu\My Documents\My Music\License Backup\drmv2key.bak"
Tue 30 Sep 2003 46,080 A..H. --- "C:\Operations\ENDIVA USA\Clients\tccgw\TCCGW Letters\~WRL3363.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Wed 20 Feb 2008 8 A..H. --- "C:\Documents and Settings\Wayne Wu\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!

=============================================
End of SDFix log
=============================================



##############################################
SAS Log
##############################################

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/29/2008 at 03:54 AM

Application Version : 4.1.1046

Core Rules Database Version : 3470
Trace Rules Database Version: 1461

Scan type : Complete Scan
Total Scan Time : 01:13:55

Memory items scanned : 664
Memory threats detected : 0
Registry items scanned : 10046
Registry threats detected : 0
File items scanned : 38595
File threats detected : 57

Adware.Tracking Cookie
C:\Documents and Settings\Wayne Wu\Cookies\wwu@2o7[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@indextools[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@ad.yieldmanager[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@msnportal.112.2o7[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@advertising[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@joyforouryouth.112.2o7[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@zedo[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@adopt.specificclick[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@ads.addynamix[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@ehg-ittoolbox.hitbox[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@questionmarket[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@server.iad.liveperson[3].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@hitbox[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@statcounter[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@tribalfusion[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@server.iad.liveperson[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@specificclick[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@atdmt[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@doubleclick[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@mediaplex[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@partner2profit[1].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@shareadult[2].txt
C:\Documents and Settings\Wayne Wu\Cookies\wwu@ads.pointroll[2].txt

Trojan.Drop/Gen Variant
C:\DOCUMENTS AND SETTINGS\WAYNE WU\LOCAL SETTINGS\APPLICATION DATA\F450D544.EXE

Adware.AdSponsor/ISM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123901.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP915\A0123902.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0123920.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124064.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124085.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124131.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124152.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124167.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124210.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP916\A0124230.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP918\A0124356.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP918\A0124403.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP918\A0124473.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP918\A0124512.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP920\A0125505.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP920\A0126554.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP921\A0126618.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP921\A0126707.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP921\A0126730.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP921\A0126769.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP923\A0126866.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP924\A0126884.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP925\A0127017.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP925\A0127032.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP925\A0127055.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP925\A0127120.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP925\A0127190.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP926\A0128186.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP926\A0129189.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP927\A0129211.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP927\A0129289.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP928\A0129359.DLL

Adware.ClickSpring/Outerinfo
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP924\A0126926.EXE

shelf life
2008-05-30, 00:49
hi spiderroll,

ok good. looks like we can clean up and make a new restore point. one easy way to remove some of the tools is with OTmoveIt2.

you can download it to your desktop, click the icon to start it (requires a network connection to get the latest list)
from the main window click the Cleanup! button
at the prompt to clean up, click yes
then you can delete the OTmoveIt2 icon from your desktop.

link:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

system restore: the why and the how;

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
--------------------------
check your java version:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/en/download/installed.jsp
-----------------------------------
if all is good:

My Top Ten
The Short Version:

1) Keep your OS, browser and software up to date.
2) Know what you are installing to your computer. Do you trust the source?
3) Install, keep updated: antivirus and one or two anti-malware applications.
4) Dont click on adds/pop ups or offers from websites to install software.
5) Dont click on offers to "scan" your computer.
6) Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting the message. Do you trust the source?
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez, cracks/keygens, P2P or adult sites you are much more likely to encounter malicious code. Do you trust the source?

longer version in link below. happy safe surfing out there.

spiderroll
2008-05-30, 09:32
Hi shelf life,
I have just did the OTmoveIt2, flushed restore point, removed all old Java version and, reinstalled most recent version of Java. I guess I am all set. Thanks for helping me to get rid of the mess in my computer. I think I learned a few things and I will keep in mind your "Top Ten". I am sure your good works are greatly appreciated.

shelf life
2008-05-31, 01:50
hi,

ok spiderroll, your welcome. happy safe surfing.