View Full Version : Virtumonde infection
bcarneal
2008-06-28, 02:07
Greetings! I am working on a friend's machine that has a serious Virtumonde infection (maybe more). At startup, I get a userinit.exe error (application failed to initialize properly (0xc0000005)). The desktop shows only the background until I bring up Taskmgr and do a File/Run and bring up Control Panel. Usually, the desktop icons will then show. I also can't run Add/Remove programs, etc. I get a Rundll32.exe application error (failed to initialize.....).
So far, I did run VundoFix from Atribune. It found >10 instances and seemed to repair, but when running it again, it showed them still there. Then, I found this forum! I've followed procedures by running Spybot S&D and having it fix everything in red (4 Virtumonde in normal mode and 2 in Safe mode). Then, I installed HiJackThis 2.0.2 ans ran it in the required mode. I'm including my log.
Thanks in advance for sharing your skills and time.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:40 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Mal_Vundo-4
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {75E444B3-674C-4ECF-94B9-6F6EA878CE60} - C:\WINDOWS\system32\wvusturq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {94AC3D8C-2EC1-45C0-B23F-1B988A16CF0B} - C:\WINDOWS\system32\efcAspMg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B76CF1F4-ECDC-4CA1-89F8-32403496528E} - C:\WINDOWS\system32\jkkJayWM.dll
O2 - BHO: mymaxisearch browser optimizer - {d3691528-99d9-db98-6cef-4b016de4f3bc} - C:\WINDOWS\system32\{065F39F3-B65A-CE56-C90B-6E9765563F3E}.dll (file missing)
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\yayxywvw.dll (file missing)
O2 - BHO: {f74f4d27-aab6-79d8-3154-f92a75d90eef} - {fee09d57-a29f-4513-8d97-6baa72d4f47f} - C:\WINDOWS\system32\ejqqtvmj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Rebekah Adkins\svchost.exe
O4 - HKLM\..\Run: [e8324bbe] rundll32.exe "C:\WINDOWS\system32\kpdhfucm.dll",b
O4 - HKLM\..\Run: [BMeb017822] Rundll32.exe "C:\WINDOWS\system32\eljeoqor.dll",s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762E901F3D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E2C38B2A0C67D36D
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116976270421
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL oygpivbg.dll ejqqtvmj.dll
O20 - Winlogon Notify: yayxywvw - yayxywvw.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 13800 bytes
========================
pskelley
2008-06-28, 17:26
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same
page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.
I am having a hard time with your logs and I believe word wrap is turned on in notepad.
Provide:
a) The HJT log only.
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.
It is preferable, and the log easier to read, if you do not use the [code] or [php] options.
From what I can see Vundo is not the only infection so read and follow all directions carefully and in the numbered order.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
bcarneal
2008-06-29, 09:50
Thanks! I followed the ComboFix instruction sheet and installed the Windows Recovery COnsole with the "download file/drop on ComboFix icon" method. The ComboFix log says the RC is not installed. It did a lot of work, though. Sorry about my earlier log not being easy to read. I was careful to turn off Word Wrap.
=================
ComboFix Log:
ComboFix 08-06-20.4 - Administrator 2008-06-28 23:11:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Tom Taylor\Application Data\WinTouch
C:\Documents and Settings\Tom Taylor\Application Data\WinTouch\wintouch.cfg
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Temporary
C:\WINDOWS\BMeb017822.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\aubycnko.ini
C:\WINDOWS\system32\axrifoab.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\dayopnyl.ini
C:\WINDOWS\system32\elljcpki.ini
C:\WINDOWS\system32\fljwlhpr.ini
C:\WINDOWS\system32\fqixejom.ini
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\fwjqgouo.dll
C:\WINDOWS\system32\fwybsgjo.ini
C:\WINDOWS\system32\gfpulkho.ini
C:\WINDOWS\SYSTEM32\gMpsAcfe.ini
C:\WINDOWS\SYSTEM32\gMpsAcfe.ini2
C:\WINDOWS\system32\hwebbhxa.ini
C:\WINDOWS\system32\hwmqkcds.ini
C:\WINDOWS\SYSTEM32\ihhilkkj.ini
C:\WINDOWS\SYSTEM32\ihhilkkj.ini2
C:\WINDOWS\SYSTEM32\ixxjppks.ini
C:\WINDOWS\system32\jkkJayWM.dll
C:\WINDOWS\SYSTEM32\jklmnqss.ini
C:\WINDOWS\SYSTEM32\jklmnqss.ini2
C:\WINDOWS\SYSTEM32\jmshbdio.ini
C:\WINDOWS\system32\kkvunbik.ini
C:\WINDOWS\system32\klvpsbiq.ini
C:\WINDOWS\SYSTEM32\KnUEOqss.ini
C:\WINDOWS\SYSTEM32\KnUEOqss.ini2
C:\WINDOWS\system32\kohyfpss.ini
C:\WINDOWS\system32\kwoqdyhf.dll
C:\WINDOWS\SYSTEM32\lkiwmkjt.ini
C:\WINDOWS\system32\lphlqavs.ini
C:\WINDOWS\system32\lrbkxmsy.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\MSDKmUvw.ini
C:\WINDOWS\SYSTEM32\MSDKmUvw.ini2
C:\WINDOWS\system32\ohamnepw.ini
C:\WINDOWS\system32\ojwemijh.dll
C:\WINDOWS\system32\oofyykkc.dll
C:\WINDOWS\system32\osvldldg.dll
C:\WINDOWS\system32\ouxfuwpm.ini
C:\WINDOWS\system32\owwbtwrh.ini
C:\WINDOWS\system32\pkuxjyli.ini
C:\WINDOWS\system32\pykliamx.ini
C:\WINDOWS\system32\qgwilpxx.ini
C:\WINDOWS\SYSTEM32\qnvywsck.ini
C:\WINDOWS\SYSTEM32\qrutsuvw.ini
C:\WINDOWS\SYSTEM32\qrutsuvw.ini2
C:\WINDOWS\SYSTEM32\rsrrqqss.ini
C:\WINDOWS\SYSTEM32\rsrrqqss.ini2
C:\WINDOWS\system32\rulbghtb.ini
C:\WINDOWS\SYSTEM32\ruxybccf.ini
C:\WINDOWS\SYSTEM32\ruxybccf.ini2
C:\WINDOWS\system32\scwbnxdp.ini
C:\WINDOWS\system32\sedfgqba.ini
C:\WINDOWS\SYSTEM32\sgrmmpkx.ini
C:\WINDOWS\system32\ssbdsjfe.ini
C:\WINDOWS\SYSTEM32\trlxycfx.ini
C:\WINDOWS\SYSTEM32\twvwvuvw.ini
C:\WINDOWS\SYSTEM32\twvwvuvw.ini2
C:\WINDOWS\system32\uljnnufj.ini
C:\WINDOWS\system32\whagtxnw.ini
C:\WINDOWS\SYSTEM32\wqgbvvmk.ini
C:\WINDOWS\system32\wvUmKDSM.dll
C:\WINDOWS\system32\wycifidx.dll
C:\WINDOWS\SYSTEM32\xHQXHkkj.ini
C:\WINDOWS\SYSTEM32\xHQXHkkj.ini2
C:\WINDOWS\SYSTEM32\xoeqacgd.ini
C:\WINDOWS\system32\yuajdjum.ini
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.
2008-06-27 13:16 . 2008-06-27 13:16 104,960 --a------ C:\WINDOWS\SYSTEM32\bdftrmur.dll
2008-06-27 13:16 . 2008-06-27 13:16 104,960 --a------ C:\WINDOWS\SYSTEM32\apsbck.dll
2008-06-27 13:13 . 2008-06-27 13:13 94,208 --a------ C:\WINDOWS\SYSTEM32\eljeoqor.dll
2008-06-27 13:10 . 2008-06-27 13:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 13:05 . 2008-06-27 15:43 <DIR> d-------- C:\Software Installs
2008-06-26 16:39 . 2008-06-26 17:04 <DIR> d-------- C:\VundoFix Backups
2008-06-26 16:12 . 2008-06-26 16:12 <DIR> d--h----- C:\WINDOWS\SYSTEM32\GroupPolicy
2008-06-26 13:50 . 2008-06-26 13:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2008-06-26 12:14 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-06-26 12:14 . 2007-12-24 17:37 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2008-06-26 12:14 . 2007-12-24 17:37 52,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2008-06-26 12:13 . 2008-06-26 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-26 12:11 . 2008-06-27 15:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 11:31 . 2008-06-26 11:36 <DIR> d-------- C:\Stuff from root of C that should not be there
2008-06-26 10:06 . 2008-06-26 10:06 136,704 --a------ C:\WINDOWS\SYSTEM32\ejqqtvmj.dll
2008-06-25 01:29 . 2008-06-27 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 23:53 . 2008-06-28 23:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-24 23:53 . 2008-06-24 23:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-24 04:33 . 2008-06-24 04:33 118,272 --a------ C:\WINDOWS\SYSTEM32\kpdhfucm.dll
2008-06-24 04:33 . 2008-06-28 23:18 354 ---hs---- C:\WINDOWS\SYSTEM32\mcufhdpk.ini
2008-06-24 04:30 . 2008-06-24 04:30 136,704 --a------ C:\WINDOWS\SYSTEM32\oygpivbg.dll
2008-06-24 04:29 . 2008-06-24 04:29 127,488 --a------ C:\WINDOWS\SYSTEM32\vmroingw.dll
2008-06-23 04:07 . 2008-06-24 04:33 1,646,047 --ahs---- C:\WINDOWS\SYSTEM32\cpaarjcm.ini.old
2008-06-23 04:07 . 2008-06-23 04:07 117,248 --a------ C:\WINDOWS\SYSTEM32\mcjraapc.dll
2008-06-23 04:04 . 2008-06-23 04:04 131,584 --a------ C:\WINDOWS\SYSTEM32\fvmgbqwv.dll
2008-06-23 04:02 . 2008-06-23 04:02 131,584 --a------ C:\WINDOWS\SYSTEM32\llqsmfcp.dll
2008-06-22 22:18 . 2008-06-22 22:18 128,512 --a------ C:\WINDOWS\SYSTEM32\odccjkcy.dll
2008-06-22 21:20 . 2008-06-22 21:20 128,512 --a------ C:\WINDOWS\SYSTEM32\notgunon.dll
2008-06-21 13:36 . 2008-06-21 13:36 122,368 --a------ C:\WINDOWS\SYSTEM32\axhbbewh.dll
2008-06-21 13:34 . 2008-06-21 13:34 130,560 --a------ C:\WINDOWS\SYSTEM32\hvygxcux.dll
2008-06-21 13:34 . 2008-06-21 13:34 128,512 --a------ C:\WINDOWS\SYSTEM32\ecaonndx.dll
2008-06-21 02:15 . 2008-06-21 02:15 130,560 --a------ C:\WINDOWS\SYSTEM32\abeomfgb.dll
2008-06-21 02:09 . 2008-06-21 02:10 128,512 --a------ C:\WINDOWS\SYSTEM32\amxtqasg.dll
2008-06-20 06:32 . 2008-06-20 06:33 <DIR> d-------- C:\Program Files\Sacor
2008-06-01 23:38 . 2008-06-20 14:10 73,345 --a------ C:\WINDOWS\SYSTEM32\{065F39F3-B65A-CE56-C90B-6E9765563F3E}.dll-uninst.exe
2008-06-01 17:21 . 2008-06-01 17:21 1,170 --ahs---- C:\WINDOWS\SYSTEM32\jryjjedk.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 06:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-26 22:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-26 22:40 --------- d-----w C:\Program Files\Twain
2008-06-26 18:44 --------- d-----w C:\Program Files\LimeWire
2008-06-26 18:03 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-26 17:14 --------- d-----w C:\Program Files\Symantec
2008-06-26 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-25 13:20 --------- d-----w C:\Documents and Settings\Rebekah Adkins\Application Data\LimeWire
2008-05-27 21:57 --------- d-----w C:\Documents and Settings\Rebekah Adkins\Application Data\AdobeUM
2008-05-20 22:19 --------- d-----w C:\Program Files\Java
2008-05-20 04:37 --------- d-----w C:\Program Files\Em90
2008-05-02 23:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 23:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 23:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2006-09-28 03:12 0 ----a-w C:\Documents and Settings\Jonathan Adkins\Application Data\Install.dat
2006-07-19 23:41 28,672 ----a-w C:\Documents and Settings\Tom Taylor\atwbxdet.dll
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75E444B3-674C-4ECF-94B9-6F6EA878CE60}]
C:\WINDOWS\system32\wvusturq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94AC3D8C-2EC1-45C0-B23F-1B988A16CF0B}]
C:\WINDOWS\system32\efcAspMg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3691528-99d9-db98-6cef-4b016de4f3bc}]
C:\WINDOWS\system32\{065F39F3-B65A-CE56-C90B-6E9765563F3E}.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fee09d57-a29f-4513-8d97-6baa72d4f47f}]
2008-06-26 10:06 136704 --a------ C:\WINDOWS\system32\ejqqtvmj.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 07:14 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 12:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 09:23 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 14:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 23:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 12:29 417792]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2005-07-21 17:14 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-25 18:42 180269]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-04-13 15:36 1470464]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 15:47 6946816]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-12 07:25 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 07:25 11776]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21 823296]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-17 23:27 1831936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"e8324bbe"="C:\WINDOWS\system32\kpdhfucm.dll" [2008-06-24 04:33 118272]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 18:30 517768]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-15 07:34 1398024]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
"BMeb017822"="C:\WINDOWS\system32\eljeoqor.dll" [2008-06-27 13:13 94208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 07:14 68856]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-05-13 09:38:39 156784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-02-16 18:40:52 6379080]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxywvw]
yayxywvw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL oygpivbg.dll ejqqtvmj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.MJPX"= PICVideo MJPEG Codec
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlbxcoms.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\My Music\\LimeWire\\LimeWire.exe"=
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2005-03-03 19:47]
S3 DVC150B;Dazzle DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.SYS [2005-03-03 19:47]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-28 23:20:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\SYSTEM32\dlbxcoms.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\PROGRA~1\Dantz\RETROS~1\Retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-06-28 23:26:57 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-29 06:26:53
Pre-Run: 19,359,727,616 bytes free
Post-Run: 19,274,145,792 bytes free
279 --- E O F --- 2008-05-19 21:51:58
=====================
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:52 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Mal_Vundo-4
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {75E444B3-674C-4ECF-94B9-6F6EA878CE60} - C:\WINDOWS\system32\wvusturq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {94AC3D8C-2EC1-45C0-B23F-1B988A16CF0B} - C:\WINDOWS\system32\efcAspMg.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: mymaxisearch browser optimizer - {d3691528-99d9-db98-6cef-4b016de4f3bc} - C:\WINDOWS\system32\{065F39F3-B65A-CE56-C90B-6E9765563F3E}.dll (file missing)
O2 - BHO: {f74f4d27-aab6-79d8-3154-f92a75d90eef} - {fee09d57-a29f-4513-8d97-6baa72d4f47f} - C:\WINDOWS\system32\ejqqtvmj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [e8324bbe] rundll32.exe "C:\WINDOWS\system32\kpdhfucm.dll",b
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [BMeb017822] Rundll32.exe "C:\WINDOWS\system32\eljeoqor.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116976270421
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL oygpivbg.dll ejqqtvmj.dll
O20 - Winlogon Notify: yayxywvw - yayxywvw.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 13317 bytes
pskelley
2008-06-29, 14:37
Thanks for returning your information, read and follow the directions carefully and in the numbered order.
I notice you have a lot of Trend Micro services running, you are sure they are not conflicting with your resident antivirus program?
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
(follow the CFScript directions very carefully)
3) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\ejqqtvmj.dll
C:\WINDOWS\system32\kpdhfucm.dll
C:\WINDOWS\system32\eljeoqor.dll
C:\WINDOWS\SYSTEM32\bdftrmur.dll
C:\WINDOWS\SYSTEM32\apsbck.dll
C:\WINDOWS\SYSTEM32\mcufhdpk.ini
C:\WINDOWS\SYSTEM32\oygpivbg.dll
C:\WINDOWS\SYSTEM32\vmroingw.dll
C:\WINDOWS\SYSTEM32\cpaarjcm.ini.old
C:\WINDOWS\SYSTEM32\mcjraapc.dll
C:\WINDOWS\SYSTEM32\fvmgbqwv.dll
C:\WINDOWS\SYSTEM32\llqsmfcp.dll
C:\WINDOWS\SYSTEM32\odccjkcy.dll
C:\WINDOWS\SYSTEM32\notgunon.dll
C:\WINDOWS\SYSTEM32\axhbbewh.dll
C:\WINDOWS\SYSTEM32\hvygxcux.dll
C:\WINDOWS\SYSTEM32\ecaonndx.dll
C:\WINDOWS\SYSTEM32\abeomfgb.dll
C:\WINDOWS\SYSTEM32\amxtqasg.dll
C:\WINDOWS\SYSTEM32\jryjjedk.ini
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75E444B3-674C-4ECF-94B9-6F6EA878CE60}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94AC3D8C-2EC1-45C0-B23F-1B988A16CF0B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d3691528-99d9-db98-6cef-4b016de4f3bc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fee09d57-a29f-4513-8d97-6baa72d4f47f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxywvw]
Folder::
C:\VundoFix Backups
Save this as CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {75E444B3-674C-4ECF-94B9-6F6EA878CE60} - C:\WINDOWS\system32\wvusturq.dll (file missing)
O2 - BHO: (no name) - {94AC3D8C-2EC1-45C0-B23F-1B988A16CF0B} - C:\WINDOWS\system32\efcAspMg.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
(next is valid but damaged)
O2 - BHO: mymaxisearch browser optimizer - {d3691528-99d9-db98-6cef-4b016de4f3bc} - C:\WINDOWS\system32\{065F39F3-B65A-CE56-C90B-6E9765563F3E}.dll (file missing)
O2 - BHO: {f74f4d27-aab6-79d8-3154-f92a75d90eef} - {fee09d57-a29f-4513-8d97-6baa72d4f47f} - C:\WINDOWS\system32\ejqqtvmj.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [e8324bbe] rundll32.exe "C:\WINDOWS\system32\kpdhfucm.dll",b
O4 - HKLM\..\Run: [BMeb017822] Rundll32.exe "C:\WINDOWS\system32\eljeoqor.dll",s
O20 - Winlogon Notify: yayxywvw - yayxywvw.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the combofix lof from CFScript, a new HJT log and some feedback from you. How is the computer running?
Thanks
bcarneal
2008-06-30, 01:28
Hi, pskelley! Yes, Norton was removed, except for a couple of items I couldn't uninstall because I couldn't get into "Add/Remove Programs" (LiveUpdate, etc.). The Trend product is what will be used from now on. I am now able to get full Control Panel functionality. All errors appear to be resolved. I installed the RC from the XP CD, too. Then, following your instructions, I dropped the CFScript block of code you provided on the ComboFix Icon (which kept disappearing, BTW - I had to keep replacing it). Then I rebooted, ran HiJackThis as required (selecting directed items - although some were not listed, anymore), including the "Fix Checked". Then ran ATF Cleaner and rebooted. Everything came up beautifully! Now, I've run HJT and am submitting the ComboFix log and the latest HJT log for review.
=============
ComboFix log:
ComboFix 08-06-20.4 - Administrator 2008-06-29 6:53:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\SYSTEM32\abeomfgb.dll
C:\WINDOWS\SYSTEM32\amxtqasg.dll
C:\WINDOWS\SYSTEM32\apsbck.dll
C:\WINDOWS\SYSTEM32\axhbbewh.dll
C:\WINDOWS\SYSTEM32\bdftrmur.dll
C:\WINDOWS\SYSTEM32\cpaarjcm.ini.old
C:\WINDOWS\SYSTEM32\ecaonndx.dll
C:\WINDOWS\system32\ejqqtvmj.dll
C:\WINDOWS\system32\eljeoqor.dll
C:\WINDOWS\SYSTEM32\fvmgbqwv.dll
C:\WINDOWS\SYSTEM32\hvygxcux.dll
C:\WINDOWS\SYSTEM32\jryjjedk.ini
C:\WINDOWS\system32\kpdhfucm.dll
C:\WINDOWS\SYSTEM32\llqsmfcp.dll
C:\WINDOWS\SYSTEM32\mcjraapc.dll
C:\WINDOWS\SYSTEM32\mcufhdpk.ini
C:\WINDOWS\SYSTEM32\notgunon.dll
C:\WINDOWS\SYSTEM32\odccjkcy.dll
C:\WINDOWS\SYSTEM32\oygpivbg.dll
C:\WINDOWS\SYSTEM32\vmroingw.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\VundoFix Backups\danmootg.dll.bad
C:\VundoFix Backups\dccbbcfe.ini.bad
C:\VundoFix Backups\dccbbcfe.ini2.bad
C:\VundoFix Backups\efcbbccd.dll.bad
C:\VundoFix Backups\fccbyxur.dll.bad
C:\VundoFix Backups\inchycsg.dll.bad
C:\VundoFix Backups\jkkHXQHx.dll.bad
C:\VundoFix Backups\jkkJayWM.dll.bad
C:\VundoFix Backups\lyuxeiwi.dll.bad
C:\VundoFix Backups\npomwfll.dll.bad
C:\VundoFix Backups\qamjsknc.dll.bad
C:\VundoFix Backups\qibspvlk.dll.bad
C:\VundoFix Backups\qomklmmj.dll.bad
C:\VundoFix Backups\skcagfie.dll.bad
C:\VundoFix Backups\ssqOEUnK.dll.bad
C:\VundoFix Backups\ssqqrrsr.dll.bad
C:\VundoFix Backups\twbeinke.dll.bad
C:\VundoFix Backups\xfldmjtm.dll.bad
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\abeomfgb.dll
C:\WINDOWS\SYSTEM32\amxtqasg.dll
C:\WINDOWS\SYSTEM32\apsbck.dll
C:\WINDOWS\SYSTEM32\axhbbewh.dll
C:\WINDOWS\SYSTEM32\bdftrmur.dll
C:\WINDOWS\SYSTEM32\cpaarjcm.ini.old
C:\WINDOWS\SYSTEM32\ecaonndx.dll
C:\WINDOWS\system32\ejqqtvmj.dll
C:\WINDOWS\system32\eljeoqor.dll
C:\WINDOWS\SYSTEM32\fvmgbqwv.dll
C:\WINDOWS\SYSTEM32\hvygxcux.dll
C:\WINDOWS\SYSTEM32\jryjjedk.ini
C:\WINDOWS\system32\kpdhfucm.dll
C:\WINDOWS\SYSTEM32\llqsmfcp.dll
C:\WINDOWS\SYSTEM32\mcjraapc.dll
C:\WINDOWS\SYSTEM32\mcufhdpk.ini
C:\WINDOWS\SYSTEM32\notgunon.dll
C:\WINDOWS\SYSTEM32\odccjkcy.dll
C:\WINDOWS\SYSTEM32\oygpivbg.dll
C:\WINDOWS\SYSTEM32\vmroingw.dll
.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.
2008-06-28 23:26 . 2008-06-28 23:26 0 --a------ C:\WINDOWS\BMeb017822.xml
2008-06-27 13:10 . 2008-06-27 13:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-27 13:05 . 2008-06-27 15:43 <DIR> d-------- C:\Software Installs
2008-06-26 16:12 . 2008-06-26 16:12 <DIR> d--h----- C:\WINDOWS\SYSTEM32\GroupPolicy
2008-06-26 13:50 . 2008-06-26 13:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GTek
2008-06-26 12:14 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-06-26 12:14 . 2007-12-24 17:37 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2008-06-26 12:14 . 2007-12-24 17:37 52,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2008-06-26 12:13 . 2008-06-26 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-26 12:11 . 2008-06-27 15:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 11:31 . 2008-06-26 11:36 <DIR> d-------- C:\Stuff from root of C that should not be there
2008-06-25 01:29 . 2008-06-27 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-24 23:53 . 2008-06-29 07:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-24 23:53 . 2008-06-24 23:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 06:32 . 2008-06-20 06:33 <DIR> d-------- C:\Program Files\Sacor
2008-06-01 23:38 . 2008-06-20 14:10 73,345 --a------ C:\WINDOWS\SYSTEM32\{065F39F3-B65A-CE56-C90B-6E9765563F3E}.dll-uninst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-26 22:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-26 22:40 --------- d-----w C:\Program Files\Twain
2008-06-26 18:44 --------- d-----w C:\Program Files\LimeWire
2008-06-26 18:03 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-26 17:14 --------- d-----w C:\Program Files\Symantec
2008-06-26 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-25 13:20 --------- d-----w C:\Documents and Settings\Rebekah Adkins\Application Data\LimeWire
2008-05-27 21:57 --------- d-----w C:\Documents and Settings\Rebekah Adkins\Application Data\AdobeUM
2008-05-20 22:19 --------- d-----w C:\Program Files\Java
2008-05-20 04:37 --------- d-----w C:\Program Files\Em90
2008-05-02 23:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 23:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 23:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2006-09-28 03:12 0 ----a-w C:\Documents and Settings\Jonathan Adkins\Application Data\Install.dat
2006-07-19 23:41 28,672 ----a-w C:\Documents and Settings\Tom Taylor\atwbxdet.dll
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\SYSTEM32\oleaut32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-06-28_23.26.37.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 06:17:07 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-29 13:59:31 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-06-29 06:21:34 80,310 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-06-29 14:03:49 80,310 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-06-29 06:21:34 446,234 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-06-29 14:03:49 446,234 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-06-29 13:59:36 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_154.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 07:14 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 12:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 09:23 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 10:52 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 14:54 57344]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 23:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"dlbxmon.exe"="C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 12:29 417792]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2005-07-21 17:14 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-25 18:42 180269]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-04-13 15:36 1470464]
"RetroExpress"="C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe" [2004-07-30 15:47 6946816]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-12 07:25 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-03-12 07:25 11776]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 08:21 823296]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-17 23:27 1831936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"e8324bbe"="C:\WINDOWS\system32\kpdhfucm.dll" [ ]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 18:30 517768]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-15 07:34 1398024]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
"BMeb017822"="C:\WINDOWS\system32\eljeoqor.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 07:14 68856]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-05-13 09:38:39 156784]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2007-02-16 18:40:52 6379080]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL oygpivbg.dll ejqqtvmj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.MJPX"= PICVideo MJPEG Codec
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlbxcoms.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\My Music\\LimeWire\\LimeWire.exe"=
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2005-03-03 19:47]
S3 DVC150B;Dazzle DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.SYS [2005-03-03 19:47]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 07:01:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\data\sprt_url\2543a343-dea5-47e6-b5f1-f8a1fda29ced.2\2543a343-dea5-47e6-b5f1-f8a1fda29ced.2.xml 2065 bytes
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\data\sprt_url\73387950-b909-42cd-8558-6ffdd5d352eb.4\73387950-b909-42cd-8558-6ffdd5d352eb.4.xml
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\14d5eccb-4a6f-4768-9873-89203d9e08e8.15.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\16c9a1d2-c530-4f58-966b-31d5895d173f.17.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\062a24e1-12c3-4222-be51-3a1346edf659.14.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\2312e98d-6810-4e0b-9256-07e4bbce31cb.3.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\2c225ba3-3d4a-411a-b5d4-4173c6fe96cd.28.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\2e06f4f4-55b9-405d-8e10-954fda8f57ec.18.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\33a92f63-d2c3-417d-9107-e56ddcd03972.5.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\3ad2af7b-0dc2-48fe-b2b3-a7f3c20f89d5.11.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\3c6970eb-13a7-47fc-9bb4-28e9a3207989.27.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\3d975f0c-e48a-4b11-a2b3-b9e4008c67b1.17.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\40248a18-8ce5-4d27-9753-b547ee10dd68.30.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\45d01974-622e-44d5-adda-f43a3cba848e.20.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\46619d57-629e-4e2a-be5c-6de54b323a38.15.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\47bd1fd6-f590-41d3-b9aa-8f4c6d70702a.6.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\495328ec-29e8-4211-9f3f-19ff503e4087.4.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\49c0618b-76c4-4409-b8af-f1492079190a.29.zcat
C:\Documents and Settings\Administrator\Local Settings\Application Data\SupportSoft\dellsupportcenter\Administrator\state\zcat\49f21aff-0b28-47bc-98d7-24936b342aa9.15.zcat
scan completed successfully
hidden files: 19
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\SYSTEM32\dlbxcoms.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\PROGRA~1\Dantz\RETROS~1\Retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
.
**************************************************************************
.
Completion time: 2008-06-29 7:08:51 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-29 14:08:47
ComboFix2.txt 2008-06-29 06:26:58
Pre-Run: 19,490,041,856 bytes free
Post-Run: 19,471,790,080 bytes free
263 --- E O F --- 2008-05-19 21:51:58
============
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:32 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Mal_Vundo-4
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116976270421
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214776754538
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL oygpivbg.dll ejqqtvmj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 11664 bytes
===========
Would you recommend anything else be done on this machine?
I'm sincerely thankful for your time and expertise! You and your colleagues are the best.
Billy
pskelley
2008-06-30, 02:10
Thanks for returning your information and the feedback. Seems we are making some progress.
Would you recommend anything else be done on this machine?
Once we believe the malware is gone and the computer is running as it should, then I will offer suggestions from experts in malware removal/security for you to review.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:34:52 PM, on 6/28/2008
Yes, Norton was removed, except for a couple of items I couldn't uninstall because I couldn't get into "Add/Remove Programs" (LiveUpdate, etc.). The Trend product is what will be used from now on. I am now able to get full Control Panel functionality.
I do not see Trend in Running Processes? But I do see Sysmantec?
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Symantec has made a tool available to remove leftovers:
http://basconotw.mvps.org/SymRem.htm
If you look at your HJT log you will see Trend Micro running in NT Services, but not in Running Processes at the top of the HJT log. You may want to check with Trend Micro. I have never run the progam and know little about it. http://esupport.trendmicro.com/support/consumer/ts.do
While you are resolving those issues, let's run another good malware scan to look for any malware left.
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Thanks
bcarneal
2008-06-30, 04:37
Hello, again! Yes, I shouldn't "jump the gun". OK, I used Norton Removal Tool to remove that last piece of Symantec software. You didn't see Trend Micro properly because I had turned it off while going through these repair processes. Sorry. The next HJT should show it properly. I DL'd and ran Anti-Malware. It found a bunch (lots of stuff in Restore Points). I'm providing that log below. Will rerun HJT and provide log in next post shortly. Thanks!
=============
Anti-Malware log:
Malwarebytes' Anti-Malware 1.19
Database version: 905
Windows 5.1.2600 Service Pack 2
6:28:29 PM 6/29/2008
mbam-log-6-29-2008 (18-28-29).txt
Scan type: Full Scan (C:\|)
Objects scanned: 185874
Time elapsed: 58 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 97
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Inet_Get_2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Twain (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Sacor (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Sacor\Sacor.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Spcron\Spc.dll.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\jkkJayWM.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\qomklmmj.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\VundoFix Backups\ssqOEUnK.dll.bad.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkJayWM.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wvUmKDSM.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1045\A0071523.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1051\A0075728.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1059\A0078134.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1059\A0078135.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1059\A0078137.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078353.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078354.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078357.exe (Adware.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078358.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078361.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078365.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1065\A0078366.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1066\A0081393.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1066\A0082378.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1066\A0082397.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1068\A0084376.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1068\A0084384.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1070\A0084407.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1070\A0084408.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1070\A0084409.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1070\A0084410.exe (Adware.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1070\A0084411.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1070\A0085366.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0086391.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0087399.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0087400.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0087401.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0087405.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0087406.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0091389.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0091400.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0091406.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0092391.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1074\A0092393.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1075\A0093411.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0093473.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0093501.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0094445.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0095432.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0095434.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0096483.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097526.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097533.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097534.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097535.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097537.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097541.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097542.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097543.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097544.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097546.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097550.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097551.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1076\A0097553.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099219.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099220.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099221.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099326.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099328.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099329.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099330.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099332.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099335.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099341.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099342.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099343.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099345.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099347.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099349.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099355.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099364.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099365.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099366.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099367.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099368.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099370.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099377.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099379.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099381.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099382.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099424.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1079\A0099426.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1082\A0100694.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1082\A0100701.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1082\A0100707.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jonathan Adkins\Desktop\AntiSpywareMaster.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebekah Adkins\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kristen Tanori\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jonathan Adkins\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
==================
bcarneal
2008-06-30, 04:46
....and here's the fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:48 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Mal_Vundo-4
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116976270421
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214776754538
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL oygpivbg.dll ejqqtvmj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
--
End of file - 12076 bytes
============
Thank you.
pskelley
2008-06-30, 13:12
Let's revisit this information:
I followed the ComboFix instruction sheet and installed the Windows Recovery COnsole with the "download file/drop on ComboFix icon" method. The ComboFix log says the RC is not installed.
The next use of combofix for the CFScript in your Post #5 does not show:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
So it appears Recovery Console is installed. Would your look here: C:\*CF-RC.txt* and post that small log so I can be sure. We need to remove combofix and I want to be sure the installation was successful before doing so.
From the MBAM log:
C:\QooBox\Quarantine\ <<< combofix quarantine which will be removed with combofix
C:\System Volume Information\_restore <<< infected System Restore and those files are protected which MBAM can not effect. We will reset SR to clean those soon.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:43:48 PM, on 6/29/2008
This HJT log looks great:bigthumb:
Post that report from the RC installation, here are a few links from Microsoft to store about RC:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Thanks
bcarneal
2008-06-30, 16:54
Yes, the install of the RC using ComboFix didn't work, so I don't have that log you are asking for. I made a quick mention in my post #5 that I had installed the RC from CD, so it is installed and I see that option when I boot up. Do I need to verify RC installation for you in another way?
Thanks!
pskelley
2008-06-30, 17:03
No...these instructions will remove combofix:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
These instructions will clean your System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Will there be anything else?
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
bcarneal
2008-07-01, 06:19
Hi. Sorry I didn't get back before, but it was a hectic day at work. I've uninstalled ComboFix and cycled System Restore. I'm not seeing anymore of the infestation symptoms that I was. I am experiencing what are probably driver-related problems and am going to do some driver updates. Thanks, tremendously for your help, pskelley!
bcarneal