Virtumonde infection need help

nagarwa · Sep 29, 2008

Hi, my laptop is infected with virtumonde trojan and I am unable to remove it.

So far I have taken the following steps:

1. Ran Spybot S&D, it detected virtuemonde trojan. I removed it using the 'Fix selected problems'.
2. Rebooted my machine in safe mode, rn Spybot S&D again, saw the virtuemonde trojan and removed it.
3. Rebooted my machine, normal startup ran Spybot S&D and still got virtuemonde trojan.

I have Windows XP sp3 along with IE 7, not sure how I got the trojan on that machine and I need help.

Here is the log from HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:07 PM, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
O4 - HKLM\..\Run: [BMafdfde53] Rundll32.exe "C:\WINDOWS\system32\cfifoirp.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - AppInit_DLLs: ghpzhj.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

--
End of file - 10985 bytes

Please let me know wht do I need to do

Thanks,
Nitin

pskelley · Sep 29, 2008

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. (and that has happened now)
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

You need to read the directions carefully, HJT is not located where you were instruction to locate it.

C:\downloads\HiJackThis.exe <<< unsafe location

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

nagarwa · Sep 29, 2008

Hi pskelly, sorry about running the HiJackThis.exe instead of the installer first. I guess I matched exe to exe on the Trend Micro page and downloaded the exe instead of the installer.

I have downloaded the installer from the link you provided, installed it on the infected laptop. Here are the logs after the installation

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:19 PM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_13\bin\jusched.exe
O4 - HKLM\..\Run: [BMafdfde53] Rundll32.exe "C:\WINDOWS\system32\cfifoirp.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - AppInit_DLLs: ghpzhj.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

--
End of file - 11033 bytes

Once again sorry about the wrong download.

pskelley · Sep 29, 2008

Thanks for returning your HJT log. Please take your time and think about what you do, we are working on your computer.

1) C:\Program Files\Java\jre1.5.0_13 <<< update Java, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

nagarwa · Sep 30, 2008

Alright, here are the steps I took

1. Removed Java 5 (sdk and JRE).
2. Installed Java 6 version 7.
3. Disabled TT
4. Downloaded combofix from the link you provided, and downloaded the recovery console as well, per the documentation on how to use combofix.
5. ran HJT again.

Here is the log for combofix, log for HJT is below combofix log

ComboFix 08-09-28.01 - Anjali Goyal 2008-09-29 16:09:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511 [GMT -6:00]
Running from: C:\Documents and Settings\Anjali Goyal\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\GetModule
C:\WINDOWS\b152.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\BMafdfde53.txt
C:\WINDOWS\BMafdfde53.xml
C:\WINDOWS\faceback.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\byXQIYRI.dll
C:\WINDOWS\system32\IRYIQXyb.ini
C:\WINDOWS\system32\IRYIQXyb.ini2
C:\WINDOWS\system32\ttkwusen.ini
C:\WINDOWS\system32\vtUmLeEW.dll
C:\WINDOWS\system32\wgkmyplg.ini
C:\WINDOWS\system32\xpwbkmbv.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-29 16:47 . 2008-09-29 16:47 22 --a------ C:\WINDOWS\pskt.ini
2008-09-29 16:47 . 2008-09-29 16:47 0 --a------ C:\WINDOWS\BMafdfde53.xml
2008-09-29 15:16 . 2008-09-29 15:16 <DIR> d-------- C:\Program Files\Sun
2008-09-29 15:16 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-29 14:31 . 2008-09-29 14:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-28 20:01 . 2008-09-28 20:01 128,000 --a------ C:\WINDOWS\system32\vyntqrfm.dll
2008-09-28 20:01 . 2008-09-28 20:01 128,000 --a------ C:\WINDOWS\system32\ghpzhj.dll
2008-09-28 19:58 . 2008-09-28 19:58 71,168 --a------ C:\WINDOWS\system32\glpymkgw.dll
2008-09-28 19:55 . 2008-09-28 19:55 105,984 --a------ C:\WINDOWS\system32\cfifoirp.dll
2008-09-28 15:43 . 2008-09-28 15:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 15:43 . 2008-09-28 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 12:16 . 2008-09-28 12:16 <DIR> d-------- C:\Program Files\Twain
2008-09-28 12:11 . 2008-09-28 12:52 <DIR> d-------- C:\Program Files\Webtools
2008-09-28 12:06 . 2008-09-28 12:06 <DIR> d-------- C:\Program Files\Mjcore
2008-09-27 21:17 . 2008-09-27 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-27 11:06 . 2008-09-27 11:06 128,000 --a------ C:\WINDOWS\system32\zbjhsz.dll
2008-09-27 11:06 . 2008-09-27 11:06 128,000 --a------ C:\WINDOWS\system32\wwnnvtci.dll
2008-09-27 11:05 . 2008-09-27 11:05 71,168 --a------ C:\WINDOWS\system32\vbmkbwpx.dll
2008-09-27 11:04 . 2008-09-27 11:04 105,984 --a------ C:\WINDOWS\system32\otjjnvad.dll
2008-09-27 11:02 . 2008-09-28 17:31 2,609 --ahs---- C:\WINDOWS\system32\vFNVDJjl.ini2
2008-09-27 11:02 . 2008-09-28 17:31 2,609 --ahs---- C:\WINDOWS\system32\vFNVDJjl.ini
2008-09-27 10:58 . 2008-09-27 10:58 <DIR> d-------- C:\Program Files\OINAnalytics
2008-09-27 10:56 . 2008-09-28 15:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-27 10:56 . 2008-09-27 10:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-18 21:23 . 2008-09-18 21:23 445 --a------ C:\Shopper.jad
2008-09-07 11:01 . 2008-09-07 11:01 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\3M
2008-09-07 11:00 . 2006-11-29 18:09 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Bluetooth Software
2008-09-07 11:00 . 2008-09-07 11:00 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\SiteAdvisor
2008-09-07 11:00 . 2006-11-29 18:25 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\InstallShield
2008-09-07 11:00 . 2006-11-29 18:28 <DIR> d--h----- C:\Documents and Settings\Nitin Agarwal\Application Data\Gtek
2008-09-07 11:00 . 2006-12-06 19:57 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\AOL
2008-09-07 11:00 . 2008-09-07 11:00 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-02 06:33 . 2008-09-02 06:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 21:15 --------- d-----w C:\Program Files\Java
2008-09-28 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-28 02:19 --------- d-----w C:\Program Files\Yahoo!
2008-09-28 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-09-28 02:15 --------- d-----w C:\Program Files\Google
2008-09-28 02:08 --------- d--h--r C:\Documents and Settings\Anjali Goyal\Application Data\yahoo!
2008-09-27 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-09-25 20:05 --------- d-----w C:\Documents and Settings\Anjali Goyal\Application Data\SiteAdvisor
2008-09-13 05:59 --------- d-----w C:\Program Files\Common Files\Real
2008-09-12 15:37 --------- d-----w C:\Program Files\McAfee
2008-08-02 03:02 --------- d-----w C:\Documents and Settings\Anjali Goyal\Application Data\Ahead
2008-08-01 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-01 21:33 --------- d-----w C:\Program Files\Nero
2008-08-01 21:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-01-24 23:14 2,062,800 ----a-w C:\Program Files\internet explorer\plugins\MathPlayer.dll
2007-02-16 22:59 88 --sh--r C:\WINDOWS\system32\AD70FAF23D.sys
2007-02-16 23:00 2,984 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]
2008-09-11 13:48 229376 --a------ C:\Program Files\OINAnalytics\OINAnalytics.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6dadcb3-31fa-4e74-8ed4-79071892f516}]
2008-09-28 20:01 128000 --a------ C:\WINDOWS\system32\ghpzhj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 04:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 202544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 36904]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-29 98304]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 202544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BMafdfde53"="C:\WINDOWS\system32\cfifoirp.dll" [2008-09-28 105984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-29 24576]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2003-10-09 1622016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ghpzhj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CU VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CU VPN Client.lnk
backup=C:\WINDOWS\pss\CU VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^University of Colorado at Boulder VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\University of Colorado at Boulder VPN Client.lnk
backup=C:\WINDOWS\pss\University of Colorado at Boulder VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-10-09 19:57 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 23:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 23:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-07-25 16:02 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-25 16:06 2027792 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-25 19:23 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-09-19 17:34 4347120 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"mysql"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\updates.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsdoc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsinfo.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsmps.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsMsgServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsNameServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsOaPathUtil.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsRemshClient.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsRunHidden.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsServIpc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsUnzip.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdswhich.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsZip.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cds_root.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clsAdminTool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clsbd.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clu.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cmfeedback.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\consmgr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\dregprint.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\emsMkError.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\mpsinfo.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\msgHelp.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\nmp.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\nmppath.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\obServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\switchversion.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\van.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\versionviewer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\capture.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\comp16.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pcadi.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pspiceexplorersrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pstswp.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\regsvr32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\sch2cap.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\SETBROWS.EXE"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\cdsdoc\\bin\\obServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\dfII\\bin\\skill.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\dfII\\bin\\skill_g.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\bodygen.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\cpmaccess.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\libaccess.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\lrm.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\mkdefcfg.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\newgenasym.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\pcbCache.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\projmgr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\psetup.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\purge.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\QPSetup.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\rollback.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\UniversalBrowser.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\versiontool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\java.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\javaw.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jpicpl32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jucheck.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jusched.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\keytool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\kinit.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\klist.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\ktab.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\orbd.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\policytool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\rmid.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\rmiregistry.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\servertool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\tnameserv.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\javaws\\javaws.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\a2dxf.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\allegro.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\allegro_free_viewer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\artwork.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\batch_drc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\bbvia.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\bem2d.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\cns_report.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\create_devices.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\create_sym.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor14.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor_ui.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix11.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix12.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix13.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbstat.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dfa_dlg.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dfa_update.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\downrev14.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\downrev_library.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\draw_check.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dump_libraries.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dxf2a.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ecl_schedule.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\enved.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\explot.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\extracta.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\flash_convert.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\fpbrowse.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\FSvia.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\FSviaSolver.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\gbplot.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\genfeedformat.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\genrad.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\gloss.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\idf_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\idf_out.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\iges_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\iges_out.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\il_allegro.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ipc356_out.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\j2script.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\l2a.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\mbs2lib.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ncroute.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\nctape.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\netin.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\netrev.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pads_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pad_designer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\parallel.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pcad_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pe_wordpad.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\placement.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\plctxt.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pre_check.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\productServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\qvupdate.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_padstack.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_symbol.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_vs.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\reftxt.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\report.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\specctra.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\spif.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\spif_batch.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\swap.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\systemdump.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\sys_root.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile13.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile14.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\tlp2.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\uprev.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\zrouter.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\bin\\perl.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\bin\\perlglob.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\ntt\\cmd32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\IndiceFileGeneration.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\Magneticdesigner.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\modeled.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\MrkSrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspice.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspiceaa.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\PSpiceEnc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspiceexplorersrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\psp_cmd.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\regsvr32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\simmgr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\simsrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\stmed.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\specctra\\bin\\specctra.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\merge.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\search.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\setup.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\callback.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\filter.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\index.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\summary.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\specctra\\bin\\specctra.com"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 sprtlisten;SupportSoft Listener Service;C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2003-01-07 9049]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-01-07 115008]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-01-07 115008]
S2 XAMPP;XAMPP Service;C:\Program Files\xampp\service.exe [2005-03-12 60928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fbf6faa-c5fb-11db-8b26-0015c5c017b5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5218e88-f84b-11dc-8c97-444553544200}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{21ED47CE-B8EF-4908-B151-A8836CBB7587} - C:\WINDOWS\system32\byXQIYRI.dll
BHO-{453F51E8-FEF5-4C54-B136-944BF434360C} - C:\WINDOWS\system32\vtUmLeEW.dll
BHO-{921E6298-0E5A-43D2-BC4A-2A0DC4997454} - C:\WINDOWS\system32\ljJDVNFv.dll
BHO-{B857607F-2886-4915-B538-962235D81860} - (no file)
BHO-{fced84ed-b68e-462a-93b5-bb35a5dd84ce} - (no file)
HKCU-Run-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe
ShellExecuteHooks-{453F51E8-FEF5-4C54-B136-944BF434360C} - C:\WINDOWS\system32\vtUmLeEW.dll
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-RealTray - C:\Program Files\Real\RealPlayer\RealPlay.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Anjali Goyal\Application Data\Mozilla\Firefox\Profiles\biebim3k.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 16:47:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> C:\WINDOWS\system32\cfifoirp.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-09-29 16:57:09 - machine was rebooted [Anjali Goyal]
ComboFix-quarantined-files.txt 2008-09-29 22:57:03

Pre-Run: 35,983,560,704 bytes free
Post-Run: 35,932,827,648 bytes free

445 --- E O F --- 2008-09-10 20:04:05

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:56 PM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {615f2981-7097-4de8-47e4-af133bcdad6b} - {b6dadcb3-31fa-4e74-8ed4-79071892f516} - C:\WINDOWS\system32\ghpzhj.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BMafdfde53] Rundll32.exe "C:\WINDOWS\system32\cfifoirp.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - AppInit_DLLs: ghpzhj.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

--
End of file - 10971 bytes

Once again thanks for all your help and let me know what else needs to be done.

pskelley · Sep 30, 2008

Thanks for returning your information, please read and follow the directions carefully, and in the numbered order.

I cannot say with absolute certainty, but it is likely the out of date Java was responsible for the exploit that got you infected. Here is how they do it:
Infected websites are the next internet security threats
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\BMafdfde53.xml
C:\WINDOWS\system32\ghpzhj.dll
C:\WINDOWS\system32\cfifoirp.dll
C:\WINDOWS\system32\vyntqrfm.dll
C:\WINDOWS\system32\ghpzhj.dll
C:\WINDOWS\system32\glpymkgw.dll
C:\WINDOWS\system32\cfifoirp.dll
C:\WINDOWS\system32\zbjhsz.dll
C:\WINDOWS\system32\wwnnvtci.dll
C:\WINDOWS\system32\vbmkbwpx.dll
C:\WINDOWS\system32\otjjnvad.dll
C:\WINDOWS\system32\vFNVDJjl.ini2
C:\WINDOWS\system32\vFNVDJjl.ini

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B221E01-F517-4959-8C41-81948E7F2F17}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6dadcb3-31fa-4e74-8ed4-79071892f516}]

Folder::
C:\Program Files\OINAnalytics

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(some may be gone, removed by CFScript)

O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: OIN Analytics - {6B221E01-F517-4959-8C41-81948E7F2F17} - C:\Program Files\OINAnalytics\OINAnalytics.dll
O2 - BHO: {615f2981-7097-4de8-47e4-af133bcdad6b} - {b6dadcb3-31fa-4e74-8ed4-79071892f516} - C:\WINDOWS\system32\ghpzhj.dll
O4 - HKLM\..\Run: [BMafdfde53] Rundll32.exe "C:\WINDOWS\system32\cfifoirp.dll",s
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - AppInit_DLLs: ghpzhj.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks...Phil

nagarwa · Sep 30, 2008

Hi Phil, here is what I did

1. Created CFScript.txt and dragged it over ComboFix.exe, which made ComboFix run again.
2. After ComboFix completed ran HijackThis and did a scan only, I was then able to check the following
O2 - BHO: (no name) - rsion - (no file)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
and did a Fix check.
3. ran the ATFcleaner.
4. Malwarebytes' Anti-Malware (mbabm)
5. Ran HijackThis again

My laptop looks much better now, I am running Spybot right now just to be sure, but it seems to be taking me to the right places now, where I want to go.

Here are the logs in order ComboFix, mbam and HijackThis

ComboFix 08-09-28.01 - Anjali Goyal 2008-09-29 21:37:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.443 [GMT -6:00]
Running from: C:\Documents and Settings\Anjali Goyal\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anjali Goyal\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BMafdfde53.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cfifoirp.dll
C:\WINDOWS\system32\ghpzhj.dll
C:\WINDOWS\system32\glpymkgw.dll
C:\WINDOWS\system32\otjjnvad.dll
C:\WINDOWS\system32\vbmkbwpx.dll
C:\WINDOWS\system32\vFNVDJjl.ini
C:\WINDOWS\system32\vFNVDJjl.ini2
C:\WINDOWS\system32\vyntqrfm.dll
C:\WINDOWS\system32\wwnnvtci.dll
C:\WINDOWS\system32\zbjhsz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\OINAnalytics
C:\Program Files\OINAnalytics\OINAnalytics.dll
C:\Program Files\OINAnalytics\Uninstall.exe
C:\WINDOWS\BMafdfde53.txt
C:\WINDOWS\BMafdfde53.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cfifoirp.dll
C:\WINDOWS\system32\ghpzhj.dll
C:\WINDOWS\system32\glpymkgw.dll
C:\WINDOWS\system32\otjjnvad.dll
C:\WINDOWS\system32\vbmkbwpx.dll
C:\WINDOWS\system32\vFNVDJjl.ini
C:\WINDOWS\system32\vFNVDJjl.ini2
C:\WINDOWS\system32\vyntqrfm.dll
C:\WINDOWS\system32\wwnnvtci.dll
C:\WINDOWS\system32\zbjhsz.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-29 15:16 . 2008-09-29 15:16 <DIR> d-------- C:\Program Files\Sun
2008-09-29 15:16 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-29 14:31 . 2008-09-29 14:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-28 15:43 . 2008-09-28 15:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 15:43 . 2008-09-28 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 12:16 . 2008-09-28 12:16 <DIR> d-------- C:\Program Files\Twain
2008-09-28 12:11 . 2008-09-28 12:52 <DIR> d-------- C:\Program Files\Webtools
2008-09-28 12:06 . 2008-09-28 12:06 <DIR> d-------- C:\Program Files\Mjcore
2008-09-27 21:17 . 2008-09-27 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-09-27 10:56 . 2008-09-28 15:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-27 10:56 . 2008-09-27 10:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-18 21:23 . 2008-09-18 21:23 445 --a------ C:\Shopper.jad
2008-09-07 11:01 . 2008-09-07 11:01 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\3M
2008-09-07 11:00 . 2006-11-29 18:09 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Bluetooth Software
2008-09-07 11:00 . 2008-09-07 11:00 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\SiteAdvisor
2008-09-07 11:00 . 2006-11-29 18:25 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\InstallShield
2008-09-07 11:00 . 2006-11-29 18:28 <DIR> d--h----- C:\Documents and Settings\Nitin Agarwal\Application Data\Gtek
2008-09-07 11:00 . 2006-12-06 19:57 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal\Application Data\AOL
2008-09-07 11:00 . 2008-09-07 11:00 <DIR> d-------- C:\Documents and Settings\Nitin Agarwal
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-02 06:39 . 2008-09-02 06:39 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-02 06:33 . 2008-09-02 06:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-27 01:41 . 2008-04-13 18:12 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2008-08-27 01:40 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-27 01:39 . 2008-04-13 18:11 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-08-14 03:53 . 2008-04-11 13:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-14 03:52 . 2008-05-01 08:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-01 15:38 . 2008-08-01 21:02 <DIR> d-------- C:\Documents and Settings\Anjali Goyal\Application Data\Ahead
2008-08-01 15:38 . 2008-08-01 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-08-01 15:33 . 2008-08-01 15:33 <DIR> d-------- C:\Program Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 21:15 --------- d-----w C:\Program Files\Java
2008-09-28 03:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-09-28 02:19 --------- d-----w C:\Program Files\Yahoo!
2008-09-28 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\YAHOO
2008-09-28 02:15 --------- d-----w C:\Program Files\Google
2008-09-28 02:08 --------- d--h--r C:\Documents and Settings\Anjali Goyal\Application Data\yahoo!
2008-09-27 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-09-25 20:05 --------- d-----w C:\Documents and Settings\Anjali Goyal\Application Data\SiteAdvisor
2008-09-13 05:59 --------- d-----w C:\Program Files\Common Files\Real
2008-09-12 15:37 --------- d-----w C:\Program Files\McAfee
2008-08-01 21:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 04:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 04:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 04:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 04:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 04:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 04:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 04:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 04:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-25 00:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2007-01-24 23:14 2,062,800 ----a-w C:\Program Files\internet explorer\plugins\MathPlayer.dll
2007-02-16 22:59 88 --sh--r C:\WINDOWS\system32\AD70FAF23D.sys
2007-02-16 23:00 2,984 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-09-29_16.56.38.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-29 20:31:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-30 00:39:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-09-29 20:31:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-30 00:39:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-09-29 20:31:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-30 00:39:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 04:46 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 202544]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 36904]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-29 98304]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-10-09 202544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-29 24576]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2003-10-09 1622016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CU VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CU VPN Client.lnk
backup=C:\WINDOWS\pss\CU VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^University of Colorado at Boulder VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\University of Colorado at Boulder VPN Client.lnk
backup=C:\WINDOWS\pss\University of Colorado at Boulder VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-10-09 19:57 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 14:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-12-13 23:45 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-12-13 23:44 98304 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-07-25 16:02 563984 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-25 16:06 2027792 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
--------- 2003-09-10 02:24 20480 C:\Program Files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-25 19:23 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-09-19 17:34 4347120 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-24 23:30 282624 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"mysql"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\updates.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsdoc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsinfo.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsmps.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsMsgServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsNameServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsOaPathUtil.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsRemshClient.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsRunHidden.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsServIpc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsUnzip.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdswhich.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsZip.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cds_root.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clsAdminTool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clsbd.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clu.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cmfeedback.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\consmgr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\dregprint.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\emsMkError.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\mpsinfo.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\msgHelp.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\nmp.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\nmppath.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\obServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\switchversion.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\van.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\versionviewer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\capture.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\comp16.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pcadi.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pspiceexplorersrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pstswp.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\regsvr32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\sch2cap.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\SETBROWS.EXE"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\cdsdoc\\bin\\obServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\dfII\\bin\\skill.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\dfII\\bin\\skill_g.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\bodygen.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\cpmaccess.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\libaccess.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\lrm.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\mkdefcfg.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\newgenasym.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\pcbCache.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\projmgr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\psetup.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\purge.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\QPSetup.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\rollback.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\UniversalBrowser.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\versiontool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\java.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\javaw.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jpicpl32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jucheck.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jusched.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\keytool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\kinit.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\klist.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\ktab.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\orbd.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\policytool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\rmid.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\rmiregistry.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\servertool.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\tnameserv.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\javaws\\javaws.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\a2dxf.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\allegro.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\allegro_free_viewer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\artwork.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\batch_drc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\bbvia.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\bem2d.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\cns_report.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\create_devices.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\create_sym.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor14.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor_ui.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix11.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix12.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix13.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbstat.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dfa_dlg.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dfa_update.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\downrev14.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\downrev_library.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\draw_check.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dump_libraries.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dxf2a.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ecl_schedule.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\enved.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\explot.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\extracta.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\flash_convert.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\fpbrowse.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\FSvia.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\FSviaSolver.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\gbplot.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\genfeedformat.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\genrad.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\gloss.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\idf_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\idf_out.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\iges_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\iges_out.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\il_allegro.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ipc356_out.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\j2script.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\l2a.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\mbs2lib.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ncroute.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\nctape.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\netin.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\netrev.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pads_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pad_designer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\parallel.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pcad_in.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pe_wordpad.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\placement.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\plctxt.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pre_check.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\productServer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\qvupdate.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_padstack.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_symbol.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_vs.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\reftxt.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\report.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\specctra.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\spif.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\spif_batch.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\swap.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\systemdump.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\sys_root.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile13.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile14.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\tlp2.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\uprev.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\zrouter.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\bin\\perl.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\bin\\perlglob.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\ntt\\cmd32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\IndiceFileGeneration.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\Magneticdesigner.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\modeled.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\MrkSrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspice.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspiceaa.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\PSpiceEnc.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspiceexplorersrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\psp_cmd.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\regsvr32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\simmgr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\simsrvr.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\stmed.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\specctra\\bin\\specctra.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\merge.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\search.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\setup.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\callback.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\filter.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\index.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\summary.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"C:\\OrCAD\\OrCAD_15.7_Demo\\tools\\specctra\\bin\\specctra.com"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 sprtlisten;SupportSoft Listener Service;C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2003-01-07 9049]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-01-07 115008]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2003-01-07 115008]
S2 XAMPP;XAMPP Service;C:\Program Files\xampp\service.exe [2005-03-12 60928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fbf6faa-c5fb-11db-8b26-0015c5c017b5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5218e88-f84b-11dc-8c97-444553544200}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BMafdfde53 - C:\WINDOWS\system32\cfifoirp.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 21:41:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-29 21:47:16
ComboFix-quarantined-files.txt 2008-09-30 03:47:13
ComboFix2.txt 2008-09-29 22:57:10

Pre-Run: 35,916,771,328 bytes free
Post-Run: 35,893,440,512 bytes free

440 --- E O F --- 2008-09-10 20:04:05

mbam log

Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 3

9/30/2008 5:03:43 AM
mbam-log-2008-09-30 (05-03-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 285721
Time elapsed: 1 hour(s), 37 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oincs.oinanalytics (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oincs.oinanalytics.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f7fa36a4-3177-4b57-b9c1-e9c5b2e0d3a9} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OINAnalytics (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\OINAnalytics.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Twain (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\OINAnalytics\OINAnalytics.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b152.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b155.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b156.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\faceback.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\byXQIYRI.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ghpzhj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\glpymkgw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vbmkbwpx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUmLeEW.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vyntqrfm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wwnnvtci.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zbjhsz.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP476\A0065452.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP476\A0065454.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP477\A0065663.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP477\A0065664.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP484\A0066273.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP484\A0066285.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0067760.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0067761.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0067762.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0067763.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0067765.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0067767.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067875.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067878.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067879.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067881.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067883.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067884.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0067885.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:30 AM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

--
End of file - 10349 bytes

pskelley · Oct 9, 2008

I must apologize:sad: because I try to help lots of folks, I depend on the notifications system to let me know when someone posts a reply. In this case it has failed and I did not get that notification. If we can continue, I would like you to send me a private message if you do not hear from me in 12 hours (EST) of a post by you.
http://forums.spybot.info/member.php?u=233

This would be the next important step:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

Please post a new HJT log also, along with your comments about how the computer is running.

Thanks...Phil

pskelley · Oct 17, 2008

Please post a new HJT log also, along with your comments about how the computer is running.

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Virtumonde infection need help

nagarwa

New member

pskelley

In Memoriam -Always in our heart

nagarwa

New member

pskelley

In Memoriam -Always in our heart

nagarwa

New member

pskelley

In Memoriam -Always in our heart

nagarwa

New member

pskelley

In Memoriam -Always in our heart

pskelley

In Memoriam -Always in our heart