Virtumonde has taken over!

[caddy]

I cannot download Kapernsky or successfully run Hijack this. I have renamed HJT, yet each time it completes a scan it closes due to error from gebba.dll. HELP PLEASE!

[__RiP_ChAiN_]

Hello caddy

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

[caddy]

Thank you, Rip_chain. I appreciate the relpy. I ran DSS as directed and posted both text files. I should also mention that in desperation i previously ran Combofix. This removed a handful of files and allowed me to then run hjt. I will post those logs as well.
caddy
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-14 22:53:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:14 PM, on 2/14/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3288 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080214-204305-235 O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
backup-20080214-204305-240 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
backup-20080214-204305-267 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080214-204305-445 O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
backup-20080214-204305-534 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
backup-20080214-204305-631 O4 - HKLM\..\Run: [DadApp] C:\WINNT\SYSTEM32\Drivers\dadapp.exe
backup-20080214-204305-733 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-204305-924 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
backup-20080214-204305-927 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
backup-20080214-204305-933 O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-104 O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
backup-20080214-204925-106 O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-118 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
backup-20080214-204925-131 O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-297 O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
backup-20080214-204925-536 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
backup-20080214-204925-582 O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-629 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
backup-20080214-204925-665 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
backup-20080214-204925-696 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
backup-20080214-204925-777 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
backup-20080214-204925-842 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20080214-204925-845 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
backup-20080214-204925-873 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
backup-20080214-204925-898 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20080214-204925-932 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-221805-264 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-221827-168 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
backup-20080214-221919-129 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
backup-20080214-223720-218 O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS.../features.html
backup-20080214-223721-117 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
backup-20080214-223721-408 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_07) -
backup-20080214-223721-430 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/tes...enXInstall.cab
backup-20080214-223721-521 O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62...bridge-c18.cab
backup-20080214-223721-546 O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
backup-20080214-223721-879 O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
backup-20080214-223812-591 O20 - Winlogon Notify: ydtlxwbz - ydtlxwbz.dll (file missing)
backup-20080214-223849-253 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20080214-223850-395 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080214-223850-503 O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
backup-20080214-223850-720 O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
backup-20080214-223850-932 O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
backup-20080214-223955-685 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
backup-20080214-223955-750 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20080214-223955-767 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
backup-20080214-223955-828 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINNT\System32\Notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 ApfiltrService (Alps Touch Pad Filter Driver for Windows 2000/XP) - c:\winnt\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
3 cs429x (Crystal WDM Audio Codec Driver) - c:\winnt\system32\drivers\cwawdm.sys <Not Verified; Cirrus Logic, Inc.; Crystal AC9x WDM Driver>
1 Dlc (DLC Protocol) - c:\winnt\system32\drivers\dlc.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
3 EL90BC (3Com EtherLink XL B/C Adapter Driver) - c:\winnt\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
3 EL90Xbc (3Com 3C90X-BC Family PCI EtherLink Adapter) - c:\winnt\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
0 fasttrak - c:\winnt\system32\drivers\fasttrak.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Family Driver>
3 ichaud (Service for AC'97 Driver (WDM)) - c:\winnt\system32\drivers\ichaud.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
0 mraid2k - c:\winnt\system32\drivers\mraid2k.sys <Not Verified; American Megatrends, Inc.; MegaRAID Miniport Driver for Windows 2000>
3 Ptserial (W2K Pctel Serial Device Driver) - c:\winnt\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\winnt\system32\drivers\rootmdm.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
0 Vmodem (W2k Vmodem) - c:\winnt\system32\drivers\vmodem.sys <Not Verified; PCTEL, INC.; HSP Modem Modem Device>
0 Vpctcom (W2k Vpctcom) - c:\winnt\system32\drivers\vpctcom.sys <Not Verified; PCtel, Inc.; HSP Modem Virtual Control Device>
0 Vvoice (W2k Vvoice) - c:\winnt\system32\drivers\vvoice.sys <Not Verified; PCtel, Inc.; PCTEL HSP Modem Voice Device>
3 wldel48 (TrueMobile 1150 Series Driver) - c:\winnt\system32\drivers\wldel48.sys <Not Verified; Dell; TrueMobile 1150 Series Card>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 SiSWLSvc (SiS WirelessLan Service) - c:\program files\802.11 wireless lan\802.11g pen size wireless usb 2.0 adapter hw.32 v1.10\siswlsvc.exe
2 WinMgmt (Windows Management Instrumentation) - c:\winnt\system32\wbem\winmgmt.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-01-14 and 2008-02-14 -----------------------------

2008-02-14 22:21:36 68096 --a------ C:\WINNT\System32\zip.exe
2008-02-14 22:21:36 98816 --a------ C:\WINNT\System32\sed.exe
2008-02-14 22:21:36 80412 --a------ C:\WINNT\System32\grep.exe
2008-02-14 22:21:36 73728 --a------ C:\WINNT\System32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-14 17:40:19 0 d-------- C:\Program Files\Trend Micro
2008-02-13 12:45:26 29072 --a------ C:\WINNT\System32\drivers\disk.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-02-11 08:40:15 0 d-------- C:\Program Files\Yahoo!
2008-02-10 20:05:16 11520 --a------ C:\WINNT\System32\osvkcyi.exe
2008-02-10 20:05:13 1635 --a------ C:\WINNT\System32\mlhozdm.exe
2008-02-10 16:28:26 691545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28:26 3453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50:11 0 -ra------ C:\WINNT\System32\TFTP312
2008-02-02 13:28:41 0 d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13:32 0 -ra------ C:\WINNT\System32\TFTP1236
2008-01-21 17:54:19 19728 -ra------ C:\WINNT\System32\TFTP916 <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-01-17 19:00:32 0 -ra------ C:\WINNT\System32\TFTP1104
2008-01-14 18:18:48 0 -ra------ C:\WINNT\System32\TFTP1352
2008-01-14 18:16:25 0 -ra------ C:\WINNT\System32\TFTP1312
2008-01-14 18:09:17 0 -ra------ C:\WINNT\System32\TFTP572
2008-01-14 18:05:18 0 -ra------ C:\WINNT\System32\TFTP500
2008-01-14 17:57:57 0 -ra------ C:\WINNT\System32\TFTP556


-- Find3M Report ---------------------------------------------------------------

2008-02-14 22:39:03 0 d-------- C:\Program Files\SpywareGuard
2008-02-14 20:34:07 0 d-------- C:\Program Files\WinZip Self-Extractor
2008-02-14 20:34:06 0 d-a------ C:\Program Files\ewido anti-malware
2008-02-14 20:28:36 0 d-------- C:\Program Files\Common Files\Real
2008-02-14 20:27:47 0 d-a------ C:\Program Files\Common Files
2008-02-14 20:25:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-14 20:23:32 0 d-------- C:\Program Files\Network Associates
2008-02-14 20:20:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-07 16:12:51 0 d-a------ C:\Program Files\Modem Helper


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 4:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [10/11/2006 8:42:40 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS



-- End of Deckard's System Scanner: finished at 2008-02-14 22:53:38 ------------

[caddy]

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 49%
Physical Memory (total/avail): 255.43 MiB / 130.08 MiB
Pagefile Memory (total/avail): 615.39 MiB / 500.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1980.7 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 14.09 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)
F: is CDROM (No Media)


-- Security Center -------------------------------------------------------------



-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D9M5WQ11
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\D9M5WQ11
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=D9M5WQ11
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BDC88E5A-F47B-4314-AB38-994592E32C95}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Micro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D944236D-7992-41D6-8257-930B5832F1CC}\SETUP.EXE" -l0x9 /remove
Dell AccessDirect --> C:\WINNT\IsUninst.exe -f"C:\Program Files\DELL\AccessDirect\Uninst.isu" -c"C:\WINNT\SYSTEM32\Drivers\Uninst.dll
DiMAGE Master Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D312E40B-1C59-4823-AB48-6798D85ABBE4}\Setup.exe" -l0x9 anything
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel SpeedStep technology Applet --> C:\WINNT\IsUninst.exe -f"C:\WINNT\System32\Intel(R) SpeedStep(TM) technology Applet.isu"
InterVideo WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\System32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual Studio 6.0 Professional Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINNT\INF\wpie3x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" ControlPanel
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINNT\System32\nvinstnt.dll,NvUninstallNT4 nvdm.inf
PCTEL 2304WT V.92 MDC Modem Drivers --> ptuninst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
Serif PhotoPlus 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINNT\unins000.exe"
SpywareBlaster v3.2 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
TrueMobile 1150 Client Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0F8B60-6C6A-11D4-9630-0060B0FBF2F6}\setup.exe"
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Windows 2000 Application Compatibility Update --> C:\WINNT\AppPatch\wuinst.exe -u
Windows 2000 Security Rollup Package [See Q311401 for more information] --> C:\WINNT\$NtUninstallSP2SRP1$\spuninst\spuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2201 / Warning
Event Submitted/Written: 02/14/2008 07:49:05 PM
Event ID/Source: 4104 / COM+
Event Description:
The CRM log file was originally created on a computer with a different name. It has been updated with the name of the current computer. If this warning appears when the computer name has been changed then no further action is required.
DJ66FD11
Server Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235}
Server Application Name: System Application

Event Record #/Type2180 / Error
Event Submitted/Written: 02/13/2008 09:59:24 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2179 / Error
Event Submitted/Written: 02/13/2008 09:37:53 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2178 / Error
Event Submitted/Written: 02/13/2008 09:15:56 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2177 / Error
Event Submitted/Written: 02/13/2008 08:54:30 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27203 / Error
Event Submitted/Written: 02/14/2008 10:53:38 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27202 / Error
Event Submitted/Written: 02/14/2008 10:53:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27201 / Error
Event Submitted/Written: 02/14/2008 10:53:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27200 / Error
Event Submitted/Written: 02/14/2008 10:53:20 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27199 / Error
Event Submitted/Written: 02/14/2008 10:53:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}



-- End of Deckard's System Scanner: finished at 2008-02-14 22:53:38 ------------

[caddy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:39 PM, on 2/14/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3284 bytes

[caddy]

ComboFix 08-02-15.1 - Administrator 02/14/2008 22:22:21.1 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\gebba.dll
C:\WINNT\system32\wvusqpn.dll
C:\Program Files\delfin
C:\WINNT\fsg_4203.exe
C:\WINNT\SYSTEM32\abbeg.ini
C:\WINNT\SYSTEM32\abbeg.ini2
C:\WINNT\system32\bpkwb.dll
C:\WINNT\system32\bwpfabuq.dll
C:\WINNT\system32\ddmp.dll
C:\WINNT\system32\drivers\Browse.exe
C:\WINNT\system32\drivers\dadtray.exe
C:\WINNT\system32\drivers\OnScDisp.exe
C:\WINNT\system32\gebba.dll
C:\WINNT\system32\iedriver.exexplore.exe
C:\WINNT\system32\johnwb.dll
C:\WINNT\system32\jslvwdta.dll
C:\WINNT\system32\redirect.dll
C:\WINNT\system32\rhysepyw.dll
C:\WINNT\SYSTEM32\stetgkjv.ini
C:\WINNT\system32\systemwb.dll
C:\WINNT\system32\sysu.exe
C:\WINNT\system32\tcpservice2.exe
C:\WINNT\system32\vjkgtets.dll
C:\WINNT\system32\wvusqpn.dll
C:\WINNT\system32\xdeffrkp.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 17:40 . 08-02-14 17:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 01-05-04 12:05 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 08-02-12 08:38 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 20:05 . 08-02-10 20:05 11,520 --a------ C:\WINNT\SYSTEM32\osvkcyi.exe
2008-02-10 20:05 . 08-02-10 20:05 1,635 --a------ C:\WINNT\SYSTEM32\mlhozdm.exe
2008-02-10 16:28 . 08-02-10 15:59 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 08-02-10 16:28 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 08-02-09 13:50 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 08-02-02 13:28 <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 08-01-22 19:13 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 08-01-21 17:54 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 08-01-17 19:00 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 05:29 --------- d-----w C:\Program Files\SpywareGuard
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
04-08-16 11:44 59904 --a------ C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]
04-08-12 11:13 38400 --a------ C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [01-05-08 04:00 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydtlxwbz]
ydtlxwbz.dll


*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 22:28:39
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-02-14 22:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 06:30:22

[__RiP_ChAiN_]

Hello caddy

• Open HiJackThis
• Click on "View the list of Backups"
• Place a check mark next to everything in that window
• Click Restore
• Click Yes
• Reboot your computer

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\SYSTEM32\osvkcyi.exe
C:\WINNT\SYSTEM32\mlhozdm.exe
Folder::
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\RDSA
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydtlxwbz]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt
• A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[caddy]

ComboFix 08-02-15.1 - Administrator 02/15/2008 17:00:37.2 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\SYSTEM32\mlhozdm.exe
C:\WINNT\SYSTEM32\osvkcyi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\RDSA
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.cfg
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
C:\Documents and Settings\All Users\Application Data\RDSA\RDSA.x2f
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.cfg
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
C:\Documents and Settings\All Users\Application Data\x1ff\X1FF0.dll
C:\Documents and Settings\All Users\Application Data\x1ff\xcf01467.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf11875.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf13534.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf25561.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf70936.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf85250.new
C:\Documents and Settings\All Users\Application Data\x1ff\xde79220.exe
C:\Documents and Settings\All Users\Application Data\x1ff\xde85250.exe
C:\Documents and Settings\All Users\Application Data\x1ff\xdl85250.new
C:\WINNT\SYSTEM32\mlhozdm.exe
C:\WINNT\SYSTEM32\osvkcyi.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-14 23:21 . 02/15/08 04:35p 701,602 ---h----- C:\WINNT\ShellIconCache
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 02/09/08 01:50p 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 01/22/08 07:13p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 01/21/08 05:54p 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 01/17/08 07:00p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:02:13
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/15/2008 17:02:59
ComboFix-quarantined-files.txt 2008-02-16 01:02:39
ComboFix2.txt 2008-02-15 06:30:38

[caddy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:01 PM, on 2/15/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\EXPLORER.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4652 bytes

[__RiP_ChAiN_]

Hello caddy

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

SpyKiller

A. Please RUN HijackThis

1. Click the SCAN button to produce a log.
   
2. Place a check mark beside each one of the following items:
   
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
   O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
   O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
   O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
   O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
   O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
   
   
   
3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\SYSTEM32\gebba.dll
Folder::
C:\Program Files\SpyKiller

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.