Virtumonde has taken over!

caddy · Feb 15, 2008

I cannot download Kapernsky or successfully run Hijack this. I have renamed HJT, yet each time it completes a scan it closes due to error from gebba.dll. HELP PLEASE!

__RiP_ChAiN_ · Feb 15, 2008

Hello caddy

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

caddy · Feb 15, 2008

Thank you, Rip_chain. I appreciate the relpy. I ran DSS as directed and posted both text files. I should also mention that in desperation i previously ran Combofix. This removed a handful of files and allowed me to then run hjt. I will post those logs as well.
caddy
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-14 22:53:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:14 PM, on 2/14/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3288 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080214-204305-235 O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
backup-20080214-204305-240 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
backup-20080214-204305-267 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080214-204305-445 O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
backup-20080214-204305-534 O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
backup-20080214-204305-631 O4 - HKLM\..\Run: [DadApp] C:\WINNT\SYSTEM32\Drivers\dadapp.exe
backup-20080214-204305-733 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-204305-924 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
backup-20080214-204305-927 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
backup-20080214-204305-933 O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-104 O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
backup-20080214-204925-106 O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-118 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
backup-20080214-204925-131 O4 - HKLM\..\RunOnce: [SpybotDeletingA1399] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-297 O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
backup-20080214-204925-536 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
backup-20080214-204925-582 O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
backup-20080214-204925-629 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
backup-20080214-204925-665 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
backup-20080214-204925-696 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
backup-20080214-204925-777 O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
backup-20080214-204925-842 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20080214-204925-845 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
backup-20080214-204925-873 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
backup-20080214-204925-898 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20080214-204925-932 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-221805-264 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20080214-221827-168 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
backup-20080214-221919-129 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
backup-20080214-223720-218 O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...ota.com/vehicles/2007/fjcruiser/features.html
backup-20080214-223721-117 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
backup-20080214-223721-408 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_07) -
backup-20080214-223721-430 O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
backup-20080214-223721-521 O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab
backup-20080214-223721-546 O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
backup-20080214-223721-879 O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
backup-20080214-223812-591 O20 - Winlogon Notify: ydtlxwbz - ydtlxwbz.dll (file missing)
backup-20080214-223849-253 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20080214-223850-395 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080214-223850-503 O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
backup-20080214-223850-720 O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
backup-20080214-223850-932 O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
backup-20080214-223955-685 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
backup-20080214-223955-750 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20080214-223955-767 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
backup-20080214-223955-828 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.js - JSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINNT\System32\Notepad.exe %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 ApfiltrService (Alps Touch Pad Filter Driver for Windows 2000/XP) - c:\winnt\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
3 cs429x (Crystal WDM Audio Codec Driver) - c:\winnt\system32\drivers\cwawdm.sys <Not Verified; Cirrus Logic, Inc.; Crystal AC9x WDM Driver>
1 Dlc (DLC Protocol) - c:\winnt\system32\drivers\dlc.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
3 EL90BC (3Com EtherLink XL B/C Adapter Driver) - c:\winnt\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
3 EL90Xbc (3Com 3C90X-BC Family PCI EtherLink Adapter) - c:\winnt\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
0 fasttrak - c:\winnt\system32\drivers\fasttrak.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Family Driver>
3 ichaud (Service for AC'97 Driver (WDM)) - c:\winnt\system32\drivers\ichaud.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
0 mraid2k - c:\winnt\system32\drivers\mraid2k.sys <Not Verified; American Megatrends, Inc.; MegaRAID Miniport Driver for Windows 2000>
3 Ptserial (W2K Pctel Serial Device Driver) - c:\winnt\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\winnt\system32\drivers\rootmdm.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
0 Vmodem (W2k Vmodem) - c:\winnt\system32\drivers\vmodem.sys <Not Verified; PCTEL, INC.; HSP Modem Modem Device>
0 Vpctcom (W2k Vpctcom) - c:\winnt\system32\drivers\vpctcom.sys <Not Verified; PCtel, Inc.; HSP Modem Virtual Control Device>
0 Vvoice (W2k Vvoice) - c:\winnt\system32\drivers\vvoice.sys <Not Verified; PCtel, Inc.; PCTEL HSP Modem Voice Device>
3 wldel48 (TrueMobile 1150 Series Driver) - c:\winnt\system32\drivers\wldel48.sys <Not Verified; Dell; TrueMobile 1150 Series Card>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 SiSWLSvc (SiS WirelessLan Service) - c:\program files\802.11 wireless lan\802.11g pen size wireless usb 2.0 adapter hw.32 v1.10\siswlsvc.exe
2 WinMgmt (Windows Management Instrumentation) - c:\winnt\system32\wbem\winmgmt.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-01-14 and 2008-02-14 -----------------------------

2008-02-14 22:21:36 68096 --a------ C:\WINNT\System32\zip.exe
2008-02-14 22:21:36 98816 --a------ C:\WINNT\System32\sed.exe
2008-02-14 22:21:36 80412 --a------ C:\WINNT\System32\grep.exe
2008-02-14 22:21:36 73728 --a------ C:\WINNT\System32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-14 17:40:19 0 d-------- C:\Program Files\Trend Micro
2008-02-13 12:45:26 29072 --a------ C:\WINNT\System32\drivers\disk.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-02-11 08:40:15 0 d-------- C:\Program Files\Yahoo!
2008-02-10 20:05:16 11520 --a------ C:\WINNT\System32\osvkcyi.exe
2008-02-10 20:05:13 1635 --a------ C:\WINNT\System32\mlhozdm.exe
2008-02-10 16:28:26 691545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28:26 3453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50:11 0 -ra------ C:\WINNT\System32\TFTP312
2008-02-02 13:28:41 0 d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13:32 0 -ra------ C:\WINNT\System32\TFTP1236
2008-01-21 17:54:19 19728 -ra------ C:\WINNT\System32\TFTP916 <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-01-17 19:00:32 0 -ra------ C:\WINNT\System32\TFTP1104
2008-01-14 18:18:48 0 -ra------ C:\WINNT\System32\TFTP1352
2008-01-14 18:16:25 0 -ra------ C:\WINNT\System32\TFTP1312
2008-01-14 18:09:17 0 -ra------ C:\WINNT\System32\TFTP572
2008-01-14 18:05:18 0 -ra------ C:\WINNT\System32\TFTP500
2008-01-14 17:57:57 0 -ra------ C:\WINNT\System32\TFTP556

-- Find3M Report ---------------------------------------------------------------

2008-02-14 22:39:03 0 d-------- C:\Program Files\SpywareGuard
2008-02-14 20:34:07 0 d-------- C:\Program Files\WinZip Self-Extractor
2008-02-14 20:34:06 0 d-a------ C:\Program Files\ewido anti-malware
2008-02-14 20:28:36 0 d-------- C:\Program Files\Common Files\Real
2008-02-14 20:27:47 0 d-a------ C:\Program Files\Common Files
2008-02-14 20:25:46 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-02-14 20:23:32 0 d-------- C:\Program Files\Network Associates
2008-02-14 20:20:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-01-07 16:12:51 0 d-a------ C:\Program Files\Modem Helper

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 4:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [10/11/2006 8:42:40 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

-- End of Deckard's System Scanner: finished at 2008-02-14 22:53:38 ------------

caddy · Feb 15, 2008

extra logfile

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 49%
Physical Memory (total/avail): 255.43 MiB / 130.08 MiB
Pagefile Memory (total/avail): 615.39 MiB / 500.74 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1980.7 MiB

C: is Fixed (NTFS) - 27.95 GiB total, 14.09 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)
F: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D9M5WQ11
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\D9M5WQ11
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=D9M5WQ11
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT

-- User Profiles ---------------------------------------------------------------

Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{836612F0-1571-4C65-A4B7-58A39AA578EE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D524239C-FD5C-4183-A49C-7930915A9C0A}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAAC5938-8026-4D0C-A476-D1954917B7F5}\SETUP.EXE" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD2D9012-E5A1-4717-8EE9-8DB3F36E2F8C}\setup.exe" -l0x9 /remove
802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BDC88E5A-F47B-4314-AB38-994592E32C95}
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x9 /remove
Creative Removable Disk Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Micro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D944236D-7992-41D6-8257-930B5832F1CC}\SETUP.EXE" -l0x9 /remove
Dell AccessDirect --> C:\WINNT\IsUninst.exe -f"C:\Program Files\DELL\AccessDirect\Uninst.isu" -c"C:\WINNT\SYSTEM32\Drivers\Uninst.dll
DiMAGE Master Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D312E40B-1C59-4823-AB48-6798D85ABBE4}\Setup.exe" -l0x9 anything
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel SpeedStep technology Applet --> C:\WINNT\IsUninst.exe -f"C:\WINNT\System32\Intel(R) SpeedStep(TM) technology Applet.isu"
InterVideo WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Microsoft FrontPage 2000 --> MsiExec.exe /I{00120409-78E1-11D2-B60F-006097C998E7}
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\System32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual Studio 6.0 Professional Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINNT\INF\wpie3x86.inf,WebPostUninstall
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" ControlPanel
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINNT\System32\nvinstnt.dll,NvUninstallNT4 nvdm.inf
PCTEL 2304WT V.92 MDC Modem Drivers --> ptuninst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
Serif PhotoPlus 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0609D0AF-1382-42BE-81DB-CF30F8B0F6E2}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINNT\unins000.exe"
SpywareBlaster v3.2 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
TrueMobile 1150 Client Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0F8B60-6C6A-11D4-9630-0060B0FBF2F6}\setup.exe"
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
Windows 2000 Application Compatibility Update --> C:\WINNT\AppPatch\wuinst.exe -u
Windows 2000 Security Rollup Package [See Q311401 for more information] --> C:\WINNT\$NtUninstallSP2SRP1$\spuninst\spuninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type2201 / Warning
Event Submitted/Written: 02/14/2008 07:49:05 PM
Event ID/Source: 4104 / COM+
Event Description:
The CRM log file was originally created on a computer with a different name. It has been updated with the name of the current computer. If this warning appears when the computer name has been changed then no further action is required.
DJ66FD11
Server Application ID: {02D4B3F1-FD88-11D1-960D-00805FC79235}
Server Application Name: System Application

Event Record #/Type2180 / Error
Event Submitted/Written: 02/13/2008 09:59:24 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2179 / Error
Event Submitted/Written: 02/13/2008 09:37:53 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2178 / Error
Event Submitted/Written: 02/13/2008 09:15:56 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

Event Record #/Type2177 / Error
Event Submitted/Written: 02/13/2008 08:54:30 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
Alert Manager Event Interface: Alert Manager Event Interface unable to send alert to \\lancerweb\pipe\AlertManager. Error returned = The network path was not found.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type27203 / Error
Event Submitted/Written: 02/14/2008 10:53:38 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27202 / Error
Event Submitted/Written: 02/14/2008 10:53:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27201 / Error
Event Submitted/Written: 02/14/2008 10:53:23 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27200 / Error
Event Submitted/Written: 02/14/2008 10:53:20 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type27199 / Error
Event Submitted/Written: 02/14/2008 10:53:10 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%WinMgmt" attempting to start the service WinMgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

-- End of Deckard's System Scanner: finished at 2008-02-14 22:53:38 ------------

caddy · Feb 15, 2008

HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:39 PM, on 2/14/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.odu.edu/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3284 bytes

caddy · Feb 15, 2008

combofix logfile

ComboFix 08-02-15.1 - Administrator 02/14/2008 22:22:21.1 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\gebba.dll
C:\WINNT\system32\wvusqpn.dll
C:\Program Files\delfin
C:\WINNT\fsg_4203.exe
C:\WINNT\SYSTEM32\abbeg.ini
C:\WINNT\SYSTEM32\abbeg.ini2
C:\WINNT\system32\bpkwb.dll
C:\WINNT\system32\bwpfabuq.dll
C:\WINNT\system32\ddmp.dll
C:\WINNT\system32\drivers\Browse.exe
C:\WINNT\system32\drivers\dadtray.exe
C:\WINNT\system32\drivers\OnScDisp.exe
C:\WINNT\system32\gebba.dll
C:\WINNT\system32\iedriver.exexplore.exe
C:\WINNT\system32\johnwb.dll
C:\WINNT\system32\jslvwdta.dll
C:\WINNT\system32\redirect.dll
C:\WINNT\system32\rhysepyw.dll
C:\WINNT\SYSTEM32\stetgkjv.ini
C:\WINNT\system32\systemwb.dll
C:\WINNT\system32\sysu.exe
C:\WINNT\system32\tcpservice2.exe
C:\WINNT\system32\vjkgtets.dll
C:\WINNT\system32\wvusqpn.dll
C:\WINNT\system32\xdeffrkp.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 17:40 . 08-02-14 17:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 01-05-04 12:05 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 08-02-12 08:38 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 20:05 . 08-02-10 20:05 11,520 --a------ C:\WINNT\SYSTEM32\osvkcyi.exe
2008-02-10 20:05 . 08-02-10 20:05 1,635 --a------ C:\WINNT\SYSTEM32\mlhozdm.exe
2008-02-10 16:28 . 08-02-10 15:59 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 08-02-10 16:28 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 08-02-09 13:50 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 08-02-02 13:28 <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 08-01-22 19:13 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 08-01-21 17:54 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 08-01-17 19:00 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 05:29 --------- d-----w C:\Program Files\SpywareGuard
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
04-08-16 11:44 59904 --a------ C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]
04-08-12 11:13 38400 --a------ C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [01-05-08 04:00 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydtlxwbz]
ydtlxwbz.dll

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 22:28:39
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-02-14 22:30:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 06:30:22

__RiP_ChAiN_ · Feb 15, 2008

Hello caddy

Open HiJackThis
Click on "View the list of Backups"
Place a check mark next to everything in that window
Click Restore
Click Yes
Reboot your computer

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\SYSTEM32\osvkcyi.exe
C:\WINNT\SYSTEM32\mlhozdm.exe
Folder::
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\RDSA
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83DC91DB-7896-43E3-B34D-A7D043F16BB1}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ydtlxwbz]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE7EF827-47CC-48EB-B570-C367F1E1277E}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt
A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

caddy · Feb 16, 2008

ComboFix 08-02-15.1 - Administrator 02/15/2008 17:00:37.2 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\SYSTEM32\mlhozdm.exe
C:\WINNT\SYSTEM32\osvkcyi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\RDSA
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.cfg
C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
C:\Documents and Settings\All Users\Application Data\RDSA\RDSA.x2f
C:\Documents and Settings\All Users\Application Data\x1ff
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.cfg
C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
C:\Documents and Settings\All Users\Application Data\x1ff\X1FF0.dll
C:\Documents and Settings\All Users\Application Data\x1ff\xcf01467.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf11875.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf13534.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf25561.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf70936.new
C:\Documents and Settings\All Users\Application Data\x1ff\xcf85250.new
C:\Documents and Settings\All Users\Application Data\x1ff\xde79220.exe
C:\Documents and Settings\All Users\Application Data\x1ff\xde85250.exe
C:\Documents and Settings\All Users\Application Data\x1ff\xdl85250.new
C:\WINNT\SYSTEM32\mlhozdm.exe
C:\WINNT\SYSTEM32\osvkcyi.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-14 23:21 . 02/15/08 04:35p 701,602 ---h----- C:\WINNT\ShellIconCache
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 02/09/08 01:50p 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 01/22/08 07:13p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 01/21/08 05:54p 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 01/17/08 07:00p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 17:02:13
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/15/2008 17:02:59
ComboFix-quarantined-files.txt 2008-02-16 01:02:39
ComboFix2.txt 2008-02-15 06:30:38

caddy · Feb 16, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:01 PM, on 2/15/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\EXPLORER.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4652 bytes

__RiP_ChAiN_ · Feb 16, 2008

Hello caddy

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

SpyKiller

A. Please RUN HijackThis

Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\SYSTEM32\gebba.dll
Folder::
C:\Program Files\SpyKiller

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

caddy · Feb 16, 2008

combofix logfile

ComboFix 08-02-15.1 - Administrator 02/16/2008 13:27:40.3 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINNT\SYSTEM32\gebba.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-15 18:14 . 02/15/08 06:14p 29,456 -ra------ C:\WINNT\SYSTEM32\TFTP444
2008-02-14 23:21 . 02/15/08 11:28p 701,574 ---h----- C:\WINNT\ShellIconCache
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-09 13:50 . 02/09/08 01:50p 0 -ra------ C:\WINNT\SYSTEM32\TFTP312
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS
2008-01-22 19:13 . 01/22/08 07:13p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1236
2008-01-21 17:54 . 01/21/08 05:54p 19,728 -ra------ C:\WINNT\SYSTEM32\TFTP916
2008-01-17 19:00 . 01/17/08 07:00p 0 -ra------ C:\WINNT\SYSTEM32\TFTP1104

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 13:28:59
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/16/2008 13:29:49
ComboFix-quarantined-files.txt 2008-02-16 21:29:28
ComboFix2.txt 2008-02-16 01:03:00
ComboFix3.txt 2008-02-15 06:30:38

caddy · Feb 16, 2008

HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:50 PM, on 2/16/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4387 bytes

__RiP_ChAiN_ · Feb 18, 2008

Hello caddy

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan tab" and UNcheck "Heuristic analysis"
Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
When done, a message will be displayed at the bottom advising if any viruses were found.
Click "Yes to all" if it asks if you want to cure/move the file.
When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

caddy · Feb 19, 2008

DrWeb log

gr_Administrator.current;C:\Documents and Settings\Administrator\Application Data\Kazaa Lite\db;Modification of Trojan.BombScript.2;Moved.;
gr_Administrator.previous;C:\Documents and Settings\Administrator\Application Data\Kazaa Lite\db;Modification of Trojan.BombScript.2;Moved.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\smitRem;Tool.Prockill;Moved.;
pv.exe;C:\Documents and Settings\Administrator\Desktop\smitRem;Program.PrcView.3741;Moved.;
Process.exe;C:\Program Files\Mozilla Firefox\smitRem;Tool.Prockill;Moved.;
pv.exe;C:\Program Files\Mozilla Firefox\smitRem;Program.PrcView.3741;Moved.;
rdsa.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\RDSA;Adware.Rivad;Moved.;
x1ff.dll.vir;C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\x1ff;Adware.RiverSoft;Moved.;
bwpfabuq.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.269;Deleted.;
jslvwdta.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.269;Deleted.;
rhysepyw.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.260;Deleted.;
xdeffrkp.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.260;Deleted.;
Buddy.exe;C:\WINNT;Trojan.Bispy;Incurable.Moved.;
dsktrf.dll;C:\WINNT\SYSTEM32;Adware.ILookup.origin;Moved.;
TFTP444;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;

Thanks again for the help, Rip_Chain. Here is the Dr.Web log file. However, i was unable to perform Panda scan b/c my browser is incompatible. Should i download IE 5.0 and run the scan?
Take care
Caddy

__RiP_ChAiN_ · Feb 19, 2008

Hello caddy

Should i download IE 5.0 and run the scan?

No, we'll do something else instead

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

caddy · Feb 20, 2008

HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:32 PM, on 2/20/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 4329 bytes

caddy · Feb 20, 2008

SDFix report

SDFix: Version 1.144

Run by Administrator on Wed 02/20/2008 at 1:20p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

Trojan Files Found:

C:\OK.TMP - Deleted
C:\OK.TMP - Deleted
C:\WINNT\system32\TFTP1104 - Deleted
C:\WINNT\system32\TFTP1236 - Deleted
C:\WINNT\system32\TFTP1312 - Deleted
C:\WINNT\system32\TFTP1352 - Deleted
C:\WINNT\system32\TFTP312 - Deleted
C:\WINNT\system32\TFTP444 - Deleted
C:\WINNT\system32\TFTP500 - Deleted
C:\WINNT\system32\TFTP556 - Deleted
C:\WINNT\system32\TFTP572 - Deleted
C:\WINNT\system32\TFTP892 - Deleted
C:\WINNT\system32\TFTP916 - Deleted
C:\WINNT\system32\o - Deleted

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 13:23:40
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Remaining Files:

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 26 Jun 2007 5,375,800 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 5 Mar 2006 0 A.SH. --- "C:\WINNT\SYSTEM32\wupdmgr.tmp"
Wed 4 Sep 2002 20,992 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0001.tmp"
Fri 23 Jun 2006 56,832 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0002.tmp"
Thu 20 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0136.tmp"
Mon 3 Oct 2005 22,016 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1280.tmp"
Wed 26 Jan 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1407.tmp"
Thu 6 Oct 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1428.tmp"
Wed 19 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1839.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1925.tmp"
Thu 20 Oct 2005 49,152 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2316.tmp"
Tue 4 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2326.tmp"
Wed 26 Jan 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2579.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2856.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2960.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2976.tmp"
Fri 21 Oct 2005 53,248 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3006.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3069.tmp"
Mon 26 Jun 2006 22,016 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3097.tmp"
Mon 23 Apr 2007 25,088 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3149.tmp"
Mon 26 Jun 2006 22,016 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3249.tmp"
Fri 21 Oct 2005 53,760 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3367.tmp"
Mon 3 May 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 14 Feb 2003 43,520 ...H. --- "C:\Program Files\Qualcomm\Eudora\attach\~WRL3439.tmp"
Sat 24 Jun 2006 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0002.tmp"
Tue 4 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0004.tmp"
Wed 26 Mar 2003 44,032 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0006.tmp"
Tue 4 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0007.tmp"
Thu 20 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0008.tmp"
Fri 21 Oct 2005 52,736 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0009.tmp"
Thu 5 Jan 2006 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0010.tmp"
Sat 24 Jun 2006 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0011.tmp"
Fri 21 Oct 2005 50,176 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0020.tmp"
Sun 8 Jan 2006 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0024.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0071.tmp"
Wed 13 Feb 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0140.tmp"
Fri 21 Oct 2005 54,272 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0198.tmp"
Fri 21 Oct 2005 56,320 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0237.tmp"
Thu 6 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0244.tmp"
Thu 24 Mar 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0294.tmp"
Wed 23 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0295.tmp"
Tue 25 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0320.tmp"
Fri 21 Oct 2005 54,272 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0343.tmp"
Wed 26 Jan 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0379.tmp"
Tue 26 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0410.tmp"
Tue 4 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0422.tmp"
Fri 21 Oct 2005 49,664 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0474.tmp"
Fri 21 Oct 2005 55,296 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0624.tmp"
Wed 26 Jan 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0647.tmp"
Thu 24 Mar 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0671.tmp"
Tue 26 Apr 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0675.tmp"
Tue 26 Apr 2005 28,160 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0689.tmp"
Tue 25 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0698.tmp"
Mon 27 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0812.tmp"
Fri 21 Oct 2005 57,344 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0861.tmp"
Wed 26 Jan 2005 20,480 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0869.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0882.tmp"
Wed 23 Mar 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0921.tmp"
Thu 20 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0935.tmp"
Tue 26 Apr 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0969.tmp"
Tue 4 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0974.tmp"
Fri 6 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0998.tmp"
Wed 23 Mar 2005 22,016 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1095.tmp"
Fri 6 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1103.tmp"
Wed 26 Jan 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1106.tmp"
Thu 6 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1178.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1194.tmp"
Thu 20 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1215.tmp"
Tue 25 Jan 2005 20,480 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1290.tmp"
Tue 25 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1326.tmp"
Fri 21 Oct 2005 56,320 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1328.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1354.tmp"
Fri 21 Oct 2005 53,248 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1403.tmp"
Wed 23 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1429.tmp"
Sun 8 Jan 2006 20,480 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1438.tmp"
Sun 8 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1466.tmp"
Tue 26 Apr 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1478.tmp"
Wed 26 Mar 2003 45,056 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1586.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1667.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1675.tmp"
Mon 27 Aug 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1733.tmp"
Fri 21 Oct 2005 53,248 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1765.tmp"
Fri 21 Oct 2005 55,296 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1810.tmp"
Mon 27 Aug 2007 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1833.tmp"
Tue 4 Oct 2005 24,064 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1889.tmp"
Thu 24 Mar 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1936.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1939.tmp"
Sun 8 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2022.tmp"
Tue 4 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2046.tmp"
Wed 26 Mar 2003 44,544 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2054.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2087.tmp"
Fri 21 Oct 2005 55,808 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2110.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2162.tmp"
Tue 26 Apr 2005 22,016 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2194.tmp"
Wed 26 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2212.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2228.tmp"
Thu 20 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2240.tmp"
Fri 21 Oct 2005 56,832 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2251.tmp"
Thu 20 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2261.tmp"
Tue 26 Apr 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2309.tmp"
Tue 26 Apr 2005 27,136 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2387.tmp"
Wed 23 Mar 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2443.tmp"
Thu 20 Oct 2005 24,064 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2530.tmp"
Tue 4 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2613.tmp"
Sun 8 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2728.tmp"
Fri 21 Oct 2005 52,736 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2800.tmp"
Sun 8 Jan 2006 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2862.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2912.tmp"
Thu 6 Oct 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2985.tmp"
Thu 20 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3062.tmp"
Fri 21 Oct 2005 56,320 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3063.tmp"
Tue 26 Apr 2005 27,648 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3069.tmp"
Tue 26 Apr 2005 26,112 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3165.tmp"
Wed 26 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3224.tmp"
Tue 4 Oct 2005 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3225.tmp"
Thu 24 Mar 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3241.tmp"
Thu 24 Mar 2005 22,528 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3269.tmp"
Wed 23 Mar 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3336.tmp"
Sun 8 Jan 2006 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3340.tmp"
Tue 26 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3346.tmp"
Tue 26 Apr 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3364.tmp"
Mon 27 Aug 2007 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3434.tmp"
Tue 25 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3438.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3439.tmp"
Wed 26 Jan 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3440.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3443.tmp"
Sun 8 Jan 2006 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3446.tmp"
Wed 26 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3499.tmp"
Thu 6 Oct 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3552.tmp"
Fri 21 Oct 2005 50,688 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3558.tmp"
Tue 4 Oct 2005 25,088 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3578.tmp"
Tue 26 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3632.tmp"
Fri 6 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3672.tmp"
Thu 20 Oct 2005 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3677.tmp"
Wed 23 Mar 2005 20,992 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3748.tmp"
Mon 24 Jan 2005 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3903.tmp"
Thu 20 Oct 2005 23,040 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3940.tmp"
Fri 21 Oct 2005 52,224 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3953.tmp"
Thu 20 Oct 2005 24,064 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3959.tmp"
Wed 26 Mar 2003 45,568 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL4096.tmp"

Finished!

__RiP_ChAiN_ · Feb 21, 2008

Hello caddy

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

caddy · Feb 21, 2008

Thanks for the help, Rip_chain. I have posted both logs. Thanks again.

ComboFix 08-02-15.1 - Administrator 02/20/2008 19:35:49.4 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-21 to 2008-02-21 )))))))))))))))))))))))))))))))
.

2008-02-20 13:18 . 02/20/08 01:18p <DIR> d-------- C:\WINNT\ERUNT
2008-02-20 13:18 . 10/30/01 04:57a 402,192 --a------ C:\WINNT\SYSTEM32\dllcache\user32.dll
2008-02-20 12:59 . 02/20/08 07:35p <DIR> d-------- C:\SDFix
2008-02-18 21:11 . 02/20/08 01:00p 701,856 ---h----- C:\WINNT\ShellIconCache
2008-02-18 21:04 . 02/18/08 09:09p 7,935 --a------ C:\WINNT\Active Setup Log.BAK
2008-02-18 19:38 . 02/18/08 07:42p <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-02-14 22:52 . 02/14/08 10:52p <DIR> d-------- C:\Deckard
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 12:45 . 05/04/01 12:05p 29,072 --a------ C:\WINNT\SYSTEM32\DRIVERS\disk.sys
2008-02-11 08:40 . 02/12/08 08:38a <DIR> d-------- C:\Program Files\Yahoo!
2008-02-10 16:28 . 02/10/08 03:59p 691,545 --a------ C:\WINNT\unins000.exe
2008-02-10 16:28 . 02/10/08 04:28p 3,453 --a------ C:\WINNT\unins000.dat
2008-02-02 13:28 . 02/02/08 01:28p <DIR> d-------- C:\Program Files\OLYMPUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 00:49 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 05:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-11 00:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-08 00:12 --------- d---a-w C:\Program Files\Modem Helper
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 04:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 16:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 20:42:40 40960]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:37:05
Windows 5.0.2195 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/20/2008 19:37:56
ComboFix-quarantined-files.txt 2008-02-21 03:37:35
ComboFix2.txt 2008-02-16 21:29:50
ComboFix3.txt 2008-02-16 01:03:00
ComboFix4.txt 2008-02-15 06:30:38

caddy · Feb 21, 2008

HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:53 PM, on 2/20/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-1330325420-1700743666-749098738-500 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User '?')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = longwood.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = longwood.edu
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)

--
End of file - 3517 bytes

Virtumonde has taken over!

New member

Emeritus- Malware Team

New member

New member

New member

New member

Emeritus- Malware Team

New member

New member

Emeritus- Malware Team

New member

New member

Emeritus- Malware Team

New member

Emeritus- Malware Team

New member

New member

Emeritus- Malware Team

New member

New member