can't remove hldrrr.exe mdelk.exe

Rorschach112 · May 1, 2008

You will need to reinstall Symantec. One of the files was infected with Bagle so it had to be killed

Can you reinstall your wireless ? That should fix it

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE

Folder::
C:\Windows\system32\drivers\disdn

Registry::

Driver::
gusvc

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also post a new HijackThis log and tell me how your PC is running

my5sons · May 2, 2008

I was able to fix the Wireless Zero Configuration problem by doing this...

So, I went to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio
and checked that the "Start" Value is set to 1, 2 or 3. I found out it was disabled (it was set to 4). (I set it to 1).

And this solved my problem, after a System Restart the Wireless Zero Config Service can be readily started.

Unfortunately disdn folder is still there. I don't know what is using it, but it won't allow me to delete it. Even running ComboFix like you had with CFScript.txt.

ComboFix 08-04-27.3 - mgi2890 2008-05-01 21:35:57.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.547 [GMT -4:00]
Running from: D:\Profiles\MGI2890\Desktop\Combo-Fix.exe
Command switches used :: D:\Profiles\MGI2890\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Profiles\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\drivers\disdn . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://PA06EDM01
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gusvc

((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-04-30 23:24 . 2008-04-30 23:24 <DIR> d-------- D:\Profiles\MGI2890\Application Data\Malwarebytes
2008-04-30 23:24 . 2008-04-30 23:24 <DIR> d-------- D:\Profiles\All Users\Application Data\Malwarebytes
2008-04-30 23:24 . 2008-04-30 23:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 23:23 . 2008-04-30 23:23 128,368 --a------ C:\Download_mbam-setup.exe
2008-04-30 13:19 . 2008-04-30 13:19 1,596,094 --a------ C:\mbam-setup.exe
2008-04-29 21:48 . 2008-04-30 00:14 <DIR> d-------- D:\Profiles\MGI2890\DoctorWeb
2008-04-29 21:41 . 2008-04-29 21:45 10,258,232 --a------ C:\drweb-cureit.exe
2008-04-29 14:10 . 2008-04-29 14:10 <DIR> d-------- C:\fsaua.data
2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- D:\Profiles\All Users\Application Data\Kaspersky Lab
2008-04-28 16:56 . 2008-04-28 16:56 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 15:24 . 2008-04-28 15:37 <DIR> d-------- D:\Profiles\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 15:24 . 2008-04-28 15:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 15:23 . 2008-04-28 15:23 9,722,720 --a------ C:\spybotsd152.exe
2008-04-28 14:09 . 2008-04-28 15:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 01:32 . 2008-04-28 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 01:32 . 2008-04-28 01:32 812,344 --a------ C:\HJTInstall.exe
2008-04-28 00:50 . 2008-04-28 00:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-28 00:45 . 2008-04-27 20:49 <DIR> d-------- C:\SDFix
2008-04-27 23:32 . 2008-04-27 23:32 650,296 --a------ C:\PREVXCSIFREE(2).EXE
2008-04-27 23:12 . 2008-04-27 23:17 2,205,157 --a------ C:\IceSword122en.zip
2008-04-27 23:01 . 2008-04-27 23:01 650,296 --a------ C:\PREVXCSIFREE.EXE
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-27 22:41 . 2008-04-27 22:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 22:39 . 2008-04-27 22:40 20,597,104 --a------ C:\aaw2007.exe
2008-04-25 22:05 . 2008-04-25 22:05 93,775 --a------ C:\2333.zip
2008-04-19 11:27 . 2008-04-19 11:27 <DIR> d-------- C:\Temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-04-19 11:27 . 2008-04-24 12:21 275 --a------ C:\lxcjfire.csv
2008-04-19 11:27 . 2008-04-24 12:12 275 --a------ C:\lxcjfire.008
2008-04-19 11:27 . 2008-04-24 12:11 275 --a------ C:\lxcjfire.007
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.006
2008-04-19 11:27 . 2008-04-24 12:07 275 --a------ C:\lxcjfire.005
2008-04-19 11:27 . 2008-04-19 11:43 275 --a------ C:\lxcjfire.004
2008-04-19 11:27 . 2008-04-19 11:41 275 --a------ C:\lxcjfire.003
2008-04-19 11:27 . 2008-04-19 11:38 275 --a------ C:\lxcjfire.002
2008-04-19 11:27 . 2008-04-19 11:28 275 --a------ C:\lxcjfire.001
2008-04-19 11:27 . 2008-04-19 11:27 275 --a------ C:\lxcjfire.000
2008-04-19 11:22 . 2008-04-24 12:25 <DIR> d-------- C:\Lexmark
2008-04-17 18:20 . 2008-04-17 18:28 31,232 --a------ C:\proposedamendment(2).doc
2008-04-17 18:18 . 2008-04-17 18:18 23,552 --a------ C:\Proxy.doc
2008-04-17 18:18 . 2008-04-17 18:19 6,709 --a------ C:\proposedamendment.doc.part
2008-04-17 18:18 . 2008-04-17 18:18 0 --a------ C:\proposedamendment.doc
2008-04-17 18:15 . 2008-04-17 18:15 6,184 --a------ C:\Pheasant
2008-04-17 15:42 . 2008-04-27 23:07 8,704 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-15 09:45 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 09:45 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 09:45 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-08 20:50 . 2008-04-08 20:50 <DIR> d-------- D:\Profiles\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 01:44 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-29 00:53 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-28 19:18 --------- d-----w C:\Program Files\Elaborate Bytes
2008-04-28 18:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-28 18:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 18:09 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-28 18:07 --------- d-----w C:\Program Files\Azureus
2008-04-28 18:05 --------- d-----w D:\Profiles\MGI2890\Application Data\Amazon
2008-04-28 18:05 --------- d-----w C:\Program Files\Amazon
2008-04-28 02:41 --------- d-----w D:\Profiles\All Users\Application Data\Lavasoft
2008-04-23 19:11 --------- d-----w D:\Profiles\MGI2890\Application Data\AdobeUM
2008-04-08 21:31 --------- d-----w D:\Profiles\MGI2890\Application Data\Vso
2008-03-30 03:02 --------- d-----w D:\Profiles\All Users\Application Data\FLEXnet
2008-03-30 02:01 --------- d-----w D:\Profiles\NetworkService\Application Data\Juniper Networks
2008-03-28 19:08 --------- d-----w C:\Program Files\SlySoft
2008-03-27 02:11 --------- d-----w D:\Profiles\sdm.MGI2890-02\Application Data\Juniper Networks
2008-03-22 01:14 --------- d-----w C:\Program Files\MSECache
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 02:54 --------- d-----w D:\Profiles\MGI2890\Application Data\dvdcss
2008-03-18 19:46 --------- d-----w C:\Program Files\DVDFab Platinum 4
2008-03-16 01:43 --------- d-----w C:\Program Files\WS_FTP
2008-03-15 03:56 --------- d-----w D:\Profiles\MGI2890\Application Data\ZoomBrowser EX
2008-03-10 17:38 --------- d-----w C:\Program Files\Common Files\Canon
2008-03-08 02:09 --------- d-----w D:\Profiles\MGI2890\Application Data\Apple Computer
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-04 22:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
2008-01-06 04:07 47,360 ----a-w D:\Profiles\MGI2890\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_ 0.37.27.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 04:29:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 01:41:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-02-27 19:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 19:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 20:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 19:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-28 04:50:45 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:46 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-28 00:47:55 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-28 04:50:43 5,140,480 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-04-28 04:50:43 147,456 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2004-12-08 15:10:00 10,963 ----a-w C:\WINDOWS\system32\CCM\Cache\00N0008C.2.System\LoadPkg.vbs
+ 2005-03-24 17:29:48 384,923 ----a-w C:\WINDOWS\system32\CCM\Cache\00N0008C.2.System\runpack.exe
+ 2006-02-13 18:15:12 323,584 ----a-w C:\WINDOWS\system32\CCM\Cache\00N0008C.2.System\Source\WSUSAudit.exe
+ 2006-02-13 21:57:19 123,058 ----a-w C:\WINDOWS\system32\CCM\Cache\00N0008C.2.System\WUSvcFix.EXE
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-30 19:09:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-26 20:41:47 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-30 19:09:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-26 20:41:47 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-30 19:09:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-21 04:29:56 1,516,240 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-28 19:42:36 1,515,504 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-05-02 01:46:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_9e4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{749F8452-7D28-4658-A903-9B047E5A2CE8}"= "C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll" [2006-06-08 04:20 2420736]

[HKEY_CLASSES_ROOT\clsid\{749f8452-7d28-4658-a903-9b047e5a2ce8}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{37686C62-D497-42E3-BAAB-78D89A74E151}]
[HKEY_CLASSES_ROOT\RSAToolbar.RSAToolbarBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9"="" []
"SybaseCentral43"="" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000]
"URLy Warning"="C:\Program Files\URLy Warning\URLyWarning.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 02:56 52896]
"CSCAdvantage"="C:\Program Files\Help Desk\CSCAdv.exe" [2005-06-09 13:41 111403]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 13:41 860160]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 22:05 344064]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 14:24 290816]
"AGRSMMSG"="AGRSMMSG.exe" [2005-11-16 15:12 88209 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 19:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 19:38 688218]
"CSCLogonInfo"="C:\WINDOWS\UsrLogon.exe" [2006-12-12 17:28 127079]
"SupportSoft_Amer_Motorola"="C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" [2006-07-12 17:00 192512]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-02-01 18:31 3900776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"GreyMSIAds"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoAutoTrayNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-1086857\Scripts\Logon\0\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\0\0]
"Script"=wireless-qualification.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-287218729-725345543-980161\Scripts\Logon\1\0]
"Script"=w2kenroll.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Netmeeting\\conf.exe"= C:\\Program Files\\Netmeeting\\conf.exe
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:10.176.1.190/199:enabled:bDNA
"497:TCP"= 497:TCP:10.0.38.5/10:enabled:bDNA2
"6000:TCP"= 6000:TCP:exceed
"135:TCP"= 135:TCP:10.160.5.8:enabled:foundscan
"137:TCP"= 137:TCP:10.197.24.2:enabled:foundscan2
"138:TCP"= 138:TCP:10.0.125.17:enabled:foundscan3
"139:TCP"= 139:TCP:10.0.125.20:enabled:foundscan4
"1503:TCP"= 1503:TCP:10.0.125.21:enabled:foundscan5
"1720:TCP"= 1720:TCP:10.1.250.11:enabled:foundscan6
"1761:TCP"= 1761:TCP:10.64.2.96:enabled:foundscan7
"2701:TCP"= 2701:TCP:10.128.132.49:enabled:iss1
"2702:TCP"= 2702:TCP:10.128.132.49:enabled:iss2
"43189:TCP"= 43189:TCP:10.160.9.87:enabled:iss3
"4445:TCP"= 4445:TCP:10.0.125.19:enabled:iss4
"6401:TCP"= 6401:TCP:192.168.30.7:enabled:iss5
"1023:UDP"= 1023:UDP:144.190.1.100:enabled:iss6
"445:TCP"= 445:TCP:10.0.125.15:enabled:nmap
"123:UDP"= 123:UDP:129.188.57.239:enabled:scanner1
"137:UDP"= 137:UDP:129.188.147.55:enabled:scanner2
"138:UDP"= 138:UDP:192.168.3.1:enabled:scanner3
"2233:UDP"= 2233:UDP:129.188.33.18:enabled:scanner4
"371:UDP"= 371:UDP:10.0.125.13:enabled:scanner5
"407:UDP"= 407:UDP:10.0.125.28:enabled:scanner6
"497:UDP"= 497:UDP:10.193.21.54:enabled:scanner7
"500:UDP"= 500:UDP:10.0.125.11:enabled:scanner8
"600:UDP"= 600:UDP:10.79.40.64:enabled:scanner9
"601:UDP"= 601:UDP:10.79.40.64:enabled:scanner10
"602:UDP"= 602:UDP:10.79.40.64:enabled:scanner11
"603:UDP"= 603:UDP:10.79.40.64:enabled:scanner12
"604:UDP"= 604:UDP:10.79.40.64:enabled:scanner13
"605:UDP"= 605:UDP:10.79.40.64:enabled:scanner14
"606:UDP"= 606:UDP:10.79.40.64:enabled:scanner15
"607:UDP"= 607:UDP:10.79.40.64:enabled:scanner16
"608:UDP"= 608:UDP:10.79.40.64:enabled:scanner17
"609:UDP"= 609:UDP:10.79.40.64:enabled:scanner18
"610:UDP"= 610:UDP:10.79.40.64:enabled:scanner19
"62514:UDP"= 62514:UDP:10.79.40.72,10.82.51.100,10.228.96.22/24,10.228.96.26,10.16.225.208,10.17.193.181,10.17.193.182:enabled:scanner20
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"Enabled"= 1 (0x1)

R0 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys [2004-07-29 14:34]
R1 WrqDft;WrqDft;C:\WINDOWS\system32\drivers\WrqDft.sys [2002-07-29 09:50]
R1 WrqSDL;WrqSDL;C:\WINDOWS\system32\drivers\WrqSDL.sys [2002-07-29 09:50]
R2 ApacheForSDM;ApacheForSDM;"C:\AdventNet\WebNMS\apache\bin\Apache.exe" -k runservice []
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 sprtsvc_supportsoft_amer_motorola;SupportSoft Sprocket Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe [2006-07-12 17:01]
R2 tgsrvc_supportsoft_amer_motorola;SupportSoft Repair Service (supportsoft_amer_motorola);C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe [2006-07-12 17:01]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2007-10-29 13:44]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-10-03 13:48]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 12:46]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2007-06-15 19:56]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-10-29 13:44]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-06-15 19:56]
S3 ASANYs_WebNmsDB;Adaptive Server Anywhere - WebNmsDB;C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe [2005-02-25 11:27]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-06-19 22:40]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-06-19 22:40]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{Z99999999-999-9999-9999-MOT-2K3}]
C:\WINDOWS\2k3_USR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFC1927-A731-4c34-829B-47EE05ADD199}]
"C:\WINDOWS\regedit.exe" /s "C:\WINDOWS\mot-wmp9.reg"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63}]
"C:\Program Files\WinZip\wzusr90.exe" /NOICON /NOTRAY
.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 01:44:22 C:\WINDOWS\Tasks\CheckNetwork.job"
- C:\Program Files\Motorola\WirelessControl\NetStatus.vbs
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 21:45:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-01 21:50:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 01:49:33
ComboFix2.txt 2008-04-30 14:23:48
ComboFix3.txt 2008-04-30 01:36:53
ComboFix4.txt 2008-04-29 00:06:54
ComboFix5.txt 2008-04-28 23:48:12

Pre-Run: 7,780,278,272 bytes free
Post-Run: 7,765,667,840 bytes free

314

my5sons · May 2, 2008

I can't login to my computer in Safe Mode anymore. I think I'll have to contact my IT department for this one. My PC appears to be running much better. I think you helped me a great deal! Thanks so much...

One more question...

How do I uninstall SDFix? I keep getting a command window popup saying that SDFix can't find a certain .txt file. I just want to uninstall it.

Thanks.

Rorschach112 · May 2, 2008

Lets see if I can fix Safe Mode

Download and run SafeBootKeyRepair-CF from:

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
or
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply

I can remove SDFix, just need to see a new HijackThis log

As for this folder

C:\Windows\system32\drivers\disdn

That is legitimate

So can I see the Safe Boot Repair log and a new HijackThis log and tell me of any problems you are having

my5sons · May 3, 2008

Thanks again for helping me with this....

Here is my Safeboot....

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC

----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\AdventNet\WebNMS\apache\bin\Apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.mot.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.mot.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwgate0.mot.com:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mot.com;*.gi.com;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (file missing)
O3 - Toolbar: RSAToolbar - {749F8452-7D28-4658-A903-9B047E5A2CE8} - C:\Program Files\RSA Security\IE Toolbar\RSAToolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CSCAdvantage] "C:\Program Files\Help Desk\CSCAdv.exe" /s
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CSCLogonInfo] C:\WINDOWS\UsrLogon.exe
O4 - HKLM\..\Run: [SupportSoft_Amer_Motorola] "C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtcmd.exe" /P SupportSoft_Amer_Motorola
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [URLy Warning] "C:\Program Files\URLy Warning\URLyWarning.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-863651691-3918403040-59684098-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'sdm')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.motorola.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\Software\..\Telephony: DomainName = ds.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ds.mot.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.mot.com,e1.bcs.mot.com,gic.gi.com,w1.bcs.mot.com,gi.com,corp.mot.com,ds.mot.com,mot.com,sps.mot.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ApacheForSDM - Apache Software Foundation - C:\AdventNet\WebNMS\apache\bin\Apache.exe
O23 - Service: Adaptive Server Anywhere - WebNmsDB (ASANYs_WebNmsDB) - iAnywhere Solutions, Inc. - C:\Sybase\SQL Anywhere 9\win32\dbsrv9.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Motorola SDM (SDM Service) - Unknown owner - C:\WINDOWS\JavaService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft Sprocket Service (supportsoft_amer_motorola) (sprtsvc_supportsoft_amer_motorola) - SupportSoft, Inc. - C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SupportSoft Repair Service (supportsoft_amer_motorola) (tgsrvc_supportsoft_amer_motorola) - SupportSoft, Inc. - C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 11535 bytes

Rorschach112 · May 3, 2008

Fix this entry in HijackThis

O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second

Then delete the folder C:\SDFix if it is there

Then tell me how your PC is running

Rorschach112 · May 8, 2008

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

tashi · May 19, 2008

my5sons said:
I think I'll have to contact my IT department for this one. My PC appears to be running much better.

FYI:
Personal computers or.....

can't remove hldrrr.exe mdelk.exe

Rorschach112

Retired Security Volunteer

my5sons

New member

my5sons

New member

Rorschach112

Retired Security Volunteer

my5sons

New member

Rorschach112

Retired Security Volunteer

Rorschach112

Retired Security Volunteer

tashi

Member of Team Spybot