Vundo variant hijacks winlogon...

[paulaerison]

Vundo variant hijacks winlogon, blocks and disables automatic updates, root kit dropper with multiple outbound tcpip connections.... sbsd can not remove this.... saymantec fuxvundo can't remove this, mcaffee can't remove this, safe mode can't remove this... it's attacked to winlogon under notify... teatimer doesn't even scan this reg tree so I can't load teatimer in safe mode and walk through and kill the registry entries that WONT DIE...

dll can't be renamed...
hijackthis can't be downloaded because a very official looking window says "windows has identified this program as potentially harmfull and blocked access to it" poof, it's gone.... same with anything I try and download, INCLUDING windows malicious software removal tool... any windows update.... it's all blocked...


ARRRRRGGGHHHH x10

now what? is there a way, so set the registry to BYPASS winlogon and just load command.com or cmd.exe so I can delete the file then reboot into safe mode command prompt and re-run sbsd?

note: sbsd identifies the file every time, even though it keeps changing it's name and CLSID...

"tasklist /m *" shows me the dll('s)... they always havre goofy name and are attached to iexplore, explorer, and winlogon... all three will have the same one attached, as well as iexplore will have 1-3 more... the names are random in appearance.... I've tried adding the CLSID into the BLOCKED section, but apparently when it exits, it takes steps to protect it self with registry monitoring and morphing dll name and CLSID...

any suggestions? (i'm sending this from a different ;read; non-infected, computer)

:sad:

 

[paulaerison]

Anything?

Any ideas short of format C:?

 

[Blade81]

Hi

Let's see if you can download and run this

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

 

[paulaerison]

next idea?

Hi

Let's see if you can download and run this

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

I get a popup that claims to be windows protection and has blocked the file as being protentially harmful...

15 years, i've never been hacked, or gotten a virus I couldn't get rid of... FIFTEEN YEARS... and then I opened what appeared to be a PDF attackemtn from my wife... BAM...

this thing is hooked into winlogon notify... it loads before EVERYTHING I can do, even in safe mode command prompt only... when I delete the registry entry, it poofs back... I thought i'd be clever and reset the registry permissions on that key so it couldn't acces it and re-write itself into the registry... F5 reveals even MORE permiscious permissions {EVERYONE:FULL ACCESS/SYSTEM:FULL ACCESS}... even WORSE that the default...

I am at a loss for a solution save FORMAT C:... I would really rather not if it can be helped.... I have 7 years worth of data on that system and nothing big enough to back it up (dual 280gb hdds)...

it's corrupting access to the FDD, so I can't even create a boot floppy... in safe mode, USB drives don't work... I can't even load it on another system...

this thing is tenatious... sbsd and mcaffee both detect it, and "claim" to have removed it and require a reboot to complete because a file was in use...

reboot -> safe mode command prompt only -> tasklist /m* >tasklist.txt | grep winlogon -> reveals the presence of a gobldygook named dll in sys32 attached to winlogon... again... GRRR....

 

[paulaerison]

Safe mode with network?

I wonder if I can boot into safe mode network and use file sharing to remotely place the file on the system and then quickly execute it from a command prompt (killing explorer firtst and using taskman to start cmd)... I'm going to try that and let you know.

 

[paulaerison]

Shellexec Notify...

Nope, it's hooked in there too... as soon as I tried to run it, I got the popup.

 

[paulaerison]

Recovery console!!

:angel: and a bit of judicious scripting, I was able to detatch the DLL from winlogon and re-write the winlogon notify section of the registry to elimitinate it on startup... sbsd and mcaffee were both able to complete without popups (mcaffee I had scan only sys32 & restore to remove the immediate threat, a more thourough scan to follow) wish me luck on a networked reboot... not sure if iexplore will pull in one of it's buddies when I try and download this, but we'll see if I can avoid a reboot, it won't be able to hook back into winlogon, and it will be a child proc of explorer so I can taskkill /f/t/s and it should kill that and everything associated as a child of explorer (including any mal dlls/bhos)... wish me luck..

 

[paulaerison]

GRRRR... This one one HECK of a virus...

Hi

Let's see if you can download and run this

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

ok, even in safe mode, the "windows security warning" still popped up, I even went so far as to load the internet control palnel and turn off ALL bhos and set security to max... YARG!!!

Soon as I clicked OK, dss.exe went poof... even tried running it directly... is there an FTP link that I can use to download from the command prompt without explorer loaded?

 

[paulaerison]

Ok, just have to be smarter than the virus... ;-)

ok, even in safe mode, the "windows security warning" still popped up, I even went so far as to load the internet control palnel and turn off ALL bhos and set security to max... YARG!!!

Soon as I clicked OK, dss.exe went poof... even tried running it directly... is there an FTP link that I can use to download from the command prompt without explorer loaded?

killed explorer /t/f and iexplore /t/f... then loaded taskman and re-loaded iexplore... added safer and that tool place to trusted zones... got the popup again, BUT, this time I was able to taskkill /t/f /im iexplore* and it never got the chance to delete the file... WOOT!... now posting main and extra....
:angel:

 

[paulaerison]

main.txt

Deckard's System Scanner v20071014.68
Run by ntadmin on 2008-06-17 08:49:30
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
18: 2008-06-16 14:44:11 UTC - RP421 - Spybot-S&D Spyware removal
17: 2008-06-15 16:41:20 UTC - RP420 - Spybot-S&D Spyware removal
16: 2008-06-15 16:38:36 UTC - RP419 - Spybot-S&D Spyware removal
15: 2008-06-15 15:00:11 UTC - RP418 - Software Distribution Service 3.0
14: 2008-06-15 14:59:07 UTC - RP417 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-21 21:47:46 UTC - RP404 - Unsigned driver install


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 384 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-17 08:52:00
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\cmd.exe
C:\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&ar=runonce&pver={SUB_PVER}&plcid={SUB_CLSID}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E7C50E6-0BBF-4FB9-BB5F-1162FD8924EF} - (no file)
O2 - BHO: (no name) - {1CE2611D-C642-4C15-A505-F6F20FE0F802} - (no file)
O2 - BHO: (no name) - {23577E89-4F44-40FC-9338-4F6FCCD497EB} - (no file)
O2 - BHO: (no name) - {3A41BFF5-8A08-48F3-A2B3-C155360027C0} - (no file)
O2 - BHO: (no name) - {427F6191-E327-4E0D-9F48-D7014D06B696} - (no file)
O2 - BHO: (no name) - {43F550EA-7462-412A-A27D-9644898A48E6} - (no file)
O2 - BHO: (no name) - {4543E828-4EAC-4273-9CBF-71006A8997F2} - (no file)
O2 - BHO: (no name) - {46DD5C71-08CC-4721-BC9F-710B5F0E5E3B} - C:\Windows\system32\geBrOefc.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5EDEE2A6-9EAF-48FB-8782-1F8BA93DB5FF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Z:\Sun\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {779F5D7B-85D4-404B-B130-FB2D0EC5CACF} - (no file)
O2 - BHO: (no name) - {7BE0B2EC-8C2E-467A-A500-7594227B18B4} - (no file)
O2 - BHO: (no name) - {7F260734-72A5-46E1-A144-99C714CB0786} - (no file)
O2 - BHO: (no name) - {8649F0BB-AFF8-44B8-9D96-92ED8AF3C6A8} - (no file)
O2 - BHO: (no name) - {96307A53-4723-4931-8625-A5D6A7A82E0D} - (no file)
O2 - BHO: (no name) - {96BBBFB6-9468-4D6F-B204-28290799E441} - (no file)
O2 - BHO: (no name) - {99959CA7-FA15-4A05-9DA7-F5C7A1A3A7BC} - (no file)
O2 - BHO: (no name) - {9E9E6136-D768-41AD-B6A2-BA246664C8E7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BB828984-0EAA-4878-9EBE-EE61215B4257} - (no file)
O2 - BHO: (no name) - {BC53E890-2693-4906-B6BD-BC2E293079F0} - C:\Windows\system32\tuvTmNHX.dllx (file missing)
O2 - BHO: (no name) - {C1BBCD8C-AF71-4A01-87C5-FAC34E6116A9} - (no file)
O2 - BHO: (no name) - {E2D90E0D-04E2-4CCB-994E-5793A874E07F} - (no file)
O2 - BHO: (no name) - {E6163054-8277-4797-8800-054F53AC3A9B} - (no file)
O2 - BHO: (no name) - {EF6D1649-E2AD-4293-AA11-9224B0FD46BE} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-E22ABC2EED3F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: atfxqogp - {0FAAC4A8-2E74-4D58-9AC0-95201C69185A} - C:\Windows\atfxqogp.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\Windows\system32\mstask.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8461] command /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3304] cmd /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled = Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoStart IR.lnk.disabled = Z:\Program Files\WinTV\Ir.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled = ?
O4 - Global Startup: Microsoft Office.lnk.disabled = Z:\Program Files\Office2KPrem\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk.disabled = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Z:\Sun\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Z:\Sun\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://forums.spybot.info (HKCU)
O15 - Trusted Zone: http://www.techsupportforum.com (HKCU)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downl...-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
O16 - DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} (CheckFileStatus.UserControl1) - https://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} () - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099059536327
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169069644734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{47ECF58E-EE56-4535-A375-5BCBADE6F9B1}: NameServer = 192.168.64.1
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: tuvTmNHX - C:\Windows\system32\tuvTmNHX.dll (file missing)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: vregfwlx - {80ADA70D-39D6-4F1B-BC24-2C207A1C87F1} - C:\Windows\vregfwlx.dll (file missing)
O21 - SSODL: vltdfabw - {5B0770DF-9A00-4C14-B1B1-9AC5F2CBDD3F} - C:\Windows\vltdfabw.dll (file missing)
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - Z:\Sun\SDK\lib\appservService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe


--
End of file - 12181 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Imagedrv - c:\windows\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys
S2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT>
S3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 HCWBT8XX (Hauppauge WinTV 848/9 WDM Video Driver) - c:\windows\system32\drivers\hcwbt8xx.sys <Not Verified; Hauppauge Computer Works; WinTV WDM Driver>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
S2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
S2 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>
S3 AppServer9PE (SunJavaSystemAppserver9PE) - z:\sun\sdk\lib\appservservice.exe "\"z:\sun\sdk\bin\asadmin.bat\" start-domain --user admin domain1" "\"z:\sun\sdk\bin\asadmin.bat\" stop-domain domain1\"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 13:40:47 426 --ah---c- C:\Windows\Tasks\User_Feed_Synchronization-{5678D393-1137-432C-86AC-EBF0BB7EA42C}.job
2008-05-30 08:55:34 332 --a----c- C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 08:45:11 686630 --a----c- C:\dss.exe
2008-06-17 08:06:10 45 --a----c- C:\Documents and Settings\ntadmin\tl.cmd
2008-06-16 22:38:37 51240 --a----c- C:\OnDemandScanLog_06162008_2237 <ONDEMA~1>
2008-06-16 19:52:00 100 --a----c- C:\ntpass.cmd
2008-06-16 11:02:19 0 d------c- C:\Documents and Settings\ntadmin\Application Data\Identities
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\Templates
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\Start Menu
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\SendTo
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\Recent
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\PrintHood
2008-06-16 11:02:18 2359296 --ah----- C:\Documents and Settings\ntadmin\NTUSER.DAT
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\NetHood
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\My Documents
2008-06-16 11:02:18 0 d--h---c- C:\Documents and Settings\ntadmin\Local Settings
2008-06-16 11:02:18 0 dr-----c- C:\Documents and Settings\ntadmin\Favorites
2008-06-16 11:02:18 0 d------c- C:\Documents and Settings\ntadmin\Desktop
2008-06-16 11:02:18 0 d--hs--c- C:\Documents and Settings\ntadmin\Cookies
2008-06-16 11:02:18 0 dr-h---c- C:\Documents and Settings\ntadmin\Application Data
2008-06-15 13:41:26 665 --ahs--c- C:\Windows\system32\SrCKlRqr.ini2
2008-06-15 12:35:55 0 d------c- C:\Documents and Settings\aaerison\Application Data\Macromedia
2008-06-15 12:30:35 93056 --a----c- C:\Windows\system32\hyolsohw.dll
2008-06-15 12:29:26 238802 --ahs--c- C:\Windows\system32\dKnTCcdd.ini2
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\SendTo
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Recent
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\PrintHood
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\NetHood
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\My Documents
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Local Settings
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\Favorites
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Desktop
2008-06-15 12:21:10 0 d--hs--c- C:\Documents and Settings\aaerison\Cookies
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Application Data
2008-06-15 12:21:10 0 d---s--c- C:\Documents and Settings\aaerison\Application Data\Microsoft
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Application Data\Identities
2008-06-15 12:21:09 0 d--h---c- C:\Documents and Settings\aaerison\Templates
2008-06-15 12:21:09 0 dr-----c- C:\Documents and Settings\aaerison\Start Menu
2008-06-15 12:21:09 2097152 --ah----- C:\Documents and Settings\aaerison\NTUSER.DAT
2008-06-14 21:53:17 92544 --a----c- C:\Windows\system32\bujlgvtl.dll
2008-06-13 21:51:07 92544 --a----c- C:\Windows\system32\qrepuvxt.dll
2008-06-13 08:58:55 0 d------c- C:\Windows\Prefetch
2008-06-13 08:08:37 0 d------c- C:\Windows\system32\scripting
2008-06-13 08:08:29 0 d------c- C:\Windows\l2schemas
2008-06-13 08:08:26 0 d------c- C:\Windows\system32\en
2008-06-13 07:46:02 99 --a----c- C:\Documents and Settings\pauld99\rdc.cmd
2008-06-12 21:52:31 93 --a----c- C:\Documents and Settings\pauld99\rundlldead.cmd
2008-06-12 21:47:28 238196 --ahs--c- C:\Windows\system32\cfeOrBeg.ini2
2008-05-30 10:16:38 1542 --ahs--c- C:\Windows\system32\FgQBdMoq.ini2
2008-05-30 09:25:29 0 d------c- C:\Documents and Settings\LocalService\Desktop
2008-05-29 22:02:36 573878 --ahs--c- C:\Windows\system32\npWGNqss.ini2
2008-05-29 14:18:27 577005 --ahs--c- C:\Windows\system32\CdMTuBeg.ini2
2008-05-29 12:51:18 111 --a----c- C:\Documents and Settings\pauld99\regtask.cmd
2008-05-29 12:26:12 691545 --a----c- C:\Windows\unins000.exe
2008-05-29 12:26:12 2542 --a----c- C:\Windows\unins000.dat
2008-05-29 11:35:31 1387 --ahs--c- C:\Windows\system32\bLkkmnnn.ini2
2008-05-29 11:29:47 94208 --a----c- C:\Windows\xmpstean.exe
2008-05-29 11:29:47 163840 --a----c- C:\Windows\egtf.exe
2008-05-29 11:29:47 249856 --a----c- C:\Windows\boqnrwdmmpa.dll
2008-05-22 20:53:33 0 d------c- C:\Program Files\Qimage
2008-05-22 19:32:21 0 d------c- C:\Documents and Settings\pauld99\Application Data\Preclick Photo Organizer
2008-05-22 19:32:07 0 d------c- C:\Program Files\Preclick


-- Find3M Report ---------------------------------------------------------------

2008-06-15 20:45:50 0 d------c- C:\Program Files\Radmin
2008-06-13 08:09:43 0 d------c- C:\Program Files\Messenger
2008-06-13 08:08:23 0 d------c- C:\Program Files\Movie Maker
2008-06-13 08:01:48 0 d------c- C:\Program Files\Windows NT
2008-05-02 10:31:30 0 d------c- C:\Program Files\WatchGuard
2008-04-23 08:01:36 0 d------c- C:\Program Files\DNA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E7C50E6-0BBF-4FB9-BB5F-1162FD8924EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CE2611D-C642-4C15-A505-F6F20FE0F802}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23577E89-4F44-40FC-9338-4F6FCCD497EB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A41BFF5-8A08-48F3-A2B3-C155360027C0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{427F6191-E327-4E0D-9F48-D7014D06B696}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43F550EA-7462-412A-A27D-9644898A48E6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4543E828-4EAC-4273-9CBF-71006A8997F2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46DD5C71-08CC-4721-BC9F-710B5F0E5E3B}]
C:\Windows\system32\geBrOefc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EDEE2A6-9EAF-48FB-8782-1F8BA93DB5FF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{779F5D7B-85D4-404B-B130-FB2D0EC5CACF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BE0B2EC-8C2E-467A-A500-7594227B18B4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F260734-72A5-46E1-A144-99C714CB0786}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8649F0BB-AFF8-44B8-9D96-92ED8AF3C6A8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96307A53-4723-4931-8625-A5D6A7A82E0D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96BBBFB6-9468-4D6F-B204-28290799E441}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99959CA7-FA15-4A05-9DA7-F5C7A1A3A7BC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E9E6136-D768-41AD-B6A2-BA246664C8E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB828984-0EAA-4878-9EBE-EE61215B4257}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC53E890-2693-4906-B6BD-BC2E293079F0}]
C:\Windows\system32\tuvTmNHX.dllx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1BBCD8C-AF71-4A01-87C5-FAC34E6116A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2D90E0D-04E2-4CCB-994E-5793A874E07F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6163054-8277-4797-8800-054F53AC3A9B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF6D1649-E2AD-4293-AA11-9224B0FD46BE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 02:00 AM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 01:25 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [06/03/2007 03:51 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/11/2006 10:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 10:05 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA8461"=command /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"
"SpybotDeletingC3304"=cmd /c del "C:\WINDOWS\system32\rqRlKCrS.dll_old"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\Windows\system32\mstask.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2/2/2007 12:53:10 PM]
Adobe Gamma Loader.exe.lnk.disabled [10/10/2006 1:12:01 AM]
AutoStart IR.lnk.disabled [11/29/2006 4:15:20 PM]
HOTSYNCSHORTCUTNAME.lnk.disabled [8/21/2007 9:21:26 PM]
Microsoft Office.lnk.disabled [2/22/2007 4:35:19 PM]
WinZip Quick Pick.lnk.disabled [1/19/2007 1:30:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"=0 (0x0)
"NoWebServices"=0 (0x0)
"NoOnlinePrintsWizard"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BC53E890-2693-4906-B6BD-BC2E293079F0}"= C:\Windows\system32\tuvTmNHX.dllx [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"= {80ADA70D-39D6-4F1B-BC24-2C207A1C87F1} - C:\Windows\vregfwlx.dll [ ]
"vltdfabw"= {5B0770DF-9A00-4C14-B1B1-9AC5F2CBDD3F} - C:\Windows\vltdfabw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\Windows\System32\dimsntfy.dll

olice: this is the one right here that I could not unload olice:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvTmNHX]
tuvTmNHX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\rqRlKCrS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"eMuleAutoStart"=Z:\Program Files\eMule\emule.exe -AutoStart
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8751 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-17 08:56:28 ------------

 

[paulaerison]

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(TM) CPU 1300MHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 383.36 MiB / 211.15 MiB
Pagefile Memory (total/avail): 4442.01 MiB / 4350.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.23 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.09 GiB total, 14.26 GiB free.
D: is Fixed (FAT32) - 4.19 GiB total, 0.72 GiB free.
E: is CDROM (No Media)
H: is CDROM (No Media)
Z: is Fixed (NTFS) - 233.76 GiB total, 29.45 GiB free.

\\.\PHYSICALDRIVE0 - MAXTOR 4K040H2 - 37.28 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 33.09 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 4.2 GiB - D:

\\.\PHYSICALDRIVE1 - PLATINUM 250G 2B5400 - 233.76 GiB - 1 partition
\PARTITION0 - Installable File System - 233.76 GiB - Z:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ntadmin\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WACKO
ComSpec=C:\Windows\system32\cmd.exe
dircmd=/a/o
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ntadmin
LOGONSERVER=\\WACKO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;c:\progra~1\posix;c:\ntreskit;C:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\DOCUME~1\ntadmin\LOCALS~1\Temp
TMP=C:\DOCUME~1\ntadmin\LOCALS~1\Temp
USERDOMAIN=WACKO
USERNAME=ntadmin
USERPROFILE=C:\Documents and Settings\ntadmin
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

ntadmin (admin)
aaerison (new local, admin)
pauld99 (admin)
eBay Seller Account (admin)
eMule_Secure
ntadmin (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "c:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> z:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Acrobat 6.0 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"z:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"z:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Archos MPG4 Translator V3.0.12 --> C:\Program Files\Archos MP4SP\Uninstal.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bejeweled 2 Deluxe 1.0 --> C:\Program Files\Sony Pictures Games\Bejeweled 2 Deluxe\PopUninstall.exe "C:\Program Files\Sony Pictures Games\Bejeweled 2 Deluxe\Install.log"
BroadGun pdfMachine --> C:\Windows\System32\spool\DRIVERS\W32X86\bgssetup.exe -uninstall -printer="BroadGun pdfMachine" -port="PDFPORT1:"
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07 --> "z:\Program Files\Cucusoft\avi-dvd-pro\unins000.exe"
Dell AIO Printer A920 --> C:\Windows\system32\spool\drivers\w32x86\3\DLBKUN5C.EXE -dDell AIO Printer A920
DivX Codec --> z:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> z:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> z:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> z:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> z:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMule --> "z:\Program Files\eMule\Uninstall.exe"
EQ Pixie --> z:\Program Files\EQ Pixie\EQPixie.exe -u
EverQuest Evolution --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48BE198F-7997-4624-858E-C579A8C96A01}\setup.exe" -l0x9
Firmware Downloader --> MsiExec.exe /I{9BE1DD8C-28F3-4DB5-8FA6-6E8B6DB4433E}
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hauppauge WinTV Infrared Remote --> Z:\PROGRA~1\WinTV\UNir32.EXE Z:\PROGRA~1\WinTV\ir32.LOG
Hauppauge WinTV Radio --> Z:\PROGRA~1\WinTV\UNrad32.EXE Z:\PROGRA~1\WinTV\RADIO32.LOG
Hauppauge WinTV Scheduler --> Z:\PROGRA~1\WinTV\SCHEDU~1\UniSched.EXE Z:\PROGRA~1\WinTV\SCHEDU~1\INSTALL.LOG
Hauppauge WinTV2000 --> Z:\PROGRA~1\WinTV\UNTV32.EXE Z:\PROGRA~1\WinTV\WINTV2K.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Intel A/V Codecs V2.0 --> C:\Windows\IsUninst.exe -fC:\Windows\system32\CDUninst.isu
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
ISO Recorder --> MsiExec.exe /I{0F6A7971-0F11-4A79-A0E9-133D0963A570}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java Application Platform SDK --> "z:\Sun\SDK\uninstall.exe" -javahome "z:\Sun\SDK\jdk"
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Junk E-mail Reporting Tool --> MsiExec.exe /I{B72B06E0-0C54-495F-896F-E3ED2905624D}
Legends of Norrath --> "C:\Program Files\InstallShield Installation Information\{D7A89413-FB45-4ECE-A893-32DC87F45554}\setup.exe" -runfromtemp -l0x0009 -removeonly
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Accounting 2007 --> "Z:\Program Files\Microsoft\Small Business\Small Business Accounting 2007\SetupBootstrap\Setup.exe" /remove {B0717D5A-1976-482B-9ADF-F19631A541A4}
Microsoft Office Accounting 2007 --> MsiExec.exe /X{B0717D5A-1976-482B-9ADF-F19631A541A4}
Microsoft Office Accounting ADP Payroll Addin --> MsiExec.exe /I{5FA793A6-0071-42C1-9355-8F69A428C44F}
Microsoft Office Accounting Equifax Addin --> MsiExec.exe /X{8C711818-076E-475C-B95B-DF11CD9D8DBE}
Microsoft Office Accounting Fixed Asset Manager --> MsiExec.exe /X{46614A49-222A-48EF-87A9-BFD603E608E1}
Microsoft Office Accounting PayPal Addin --> MsiExec.exe /X{353D20CC-719B-4A60-AD33-D03F88C10330}
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook Connector --> MsiExec.exe /I{95120000-011B-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Microtek ScanWizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17A7779A-D23F-11D3-8753-0050BABE1202}\setup.exe"
MPEG Converter --> Z:\PROGRA~1\MPEGCO~1\UNWISE.EXE Z:\PROGRA~1\MPEGCO~1\INSTALL.LOG
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
nanoDVR for WinTV 1.2 --> "z:\Program Files\nanocosmos\MPEG-Tools for Hauppauge\unins000.exe"
NVIDIA Drivers --> C:\Windows\system32\nvudisp.exe UninstallGUI
Office Live Image Uploader --> MsiExec.exe /I{E78DAA24-38F8-4D35-B732-B18ABA0424DF}
palmOne --> MsiExec.exe /X{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}
PowerQuest PartitionMagic 7.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E5007FA-DA5E-4EDD-BDE5-14D128D66887}\Setup.exe"
Preclick Gold Photo Organizer --> C:\Program Files\Preclick\Organizer\setup.exe /uninstall
QBFC3.0 --> MsiExec.exe /X{5A847475-157F-45AD-9919-CD40D344B8B1}
Qimage --> Z:\PROGRA~1\Qimage\UNWISE.EXE Z:\PROGRA~1\Qimage\INSTALL.LOG
Qimage 30 Day Trial --> C:\PROGRA~1\Qimage\UNWISE.EXE C:\PROGRA~1\Qimage\INSTALL.LOG
QuickTime --> C:\Windows\unvise32qt.exe C:\Windows\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remote Administrator v2.1 --> C:\Program Files\Radmin\uninstal.exe
Replay Converter 2.31 --> C:\Windows\iun6002.exe "z:\Program Files\Replay Converter\irunin.ini"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
Sony DVD Architect 4.0 --> MsiExec.exe /X{219CB444-F2B6-4A17-8A76-BB7847F3DB26}
Sound Blaster Live! Web 2K/XP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\Windows\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TMPGEnc MPEG Editor --> MsiExec.exe /I{5C9440EC-5BAD-435F-8DE4-2B7A11C7B43E}
TMPGEnc Plus 2.5 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2A1E27FF-BE53-45B4-950F-060236E98E3D}
TOPO! --> C:\Windows\IsUninst.exe -f"c:\program files\delorme\topo4\EXTRA\Uninst.isu"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Ulead PhotoImpact 3.01 Special Edition --> C:\Windows\ULEAD.DAT\uninst.exe /fI31L.INF
VideoReDo/Plus Version 2.5.3.500 --> "C:\Program Files\VideoReDoPlus\unins000.exe"
Virtual Earth 3D (Beta) --> MsiExec.exe /X{619B8475-0F48-41B7-A370-5147F7092989}
WinAce Archiver 2.0 --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Windows XP Service Pack 3 --> "C:\Windows\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinISO 5.3 --> "z:\Program Files\WinISO\unins000.exe"
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\PROGRA~1\WINZIP\winzip32.exe" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type798 / Warning
Event Submitted/Written: 06/16/2008 10:36:08 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The scan was cancelled at time 2008-06-17 3:36:08.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)

Event Record #/Type797 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation1.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)

Event Record #/Type796 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wronguninstallinformation.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)

Event Record #/Type795 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath9.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)

Event Record #/Type794 / Warning
Event Submitted/Written: 06/16/2008 10:35:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The Scan was unable to scan password protected file c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Wrongapppath8.zip\SBRECOVERY.REG. Scan engine version used is 5200 DAT version 5317.(from WACKO IP 192.168.64.128 user ntadmin running VirusScan Enter 8.0 On-Demand Scan)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type325 / Error
Event Submitted/Written: 06/17/2008 08:45:45 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type324 / Error
Event Submitted/Written: 06/17/2008 08:45:05 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type323 / Error
Event Submitted/Written: 06/17/2008 08:38:09 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type322 / Error
Event Submitted/Written: 06/17/2008 08:38:04 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type321 / Error
Event Submitted/Written: 06/17/2008 08:17:56 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-06-17 08:56:28 ------------

 

[paulaerison]

Salvaged -> zipped -> encrypted DLL

I managed somehow to salvage a copy of the DLL and compress it into a winzip 256 bit encrypted file (I think because it no longer had the .dll ext so it was ignored and not loaded) pm me for the PW and I can upload it somewhere safe... I don't want this running on somone's unsecure machine considering how difficult it was to remove... i'm still in safe mode until I can be sure it's gone...

what's the next step?

 

[paulaerison]

This is what I get...

When I try and do anything that might potentialy download a program that might have the ability to kill the virus...

going to try and install sp3 in safe mode... system "indicates" that sp3 is already installed... I know for a fact that there is no way possible for it to have done so becuase I was curious why THIS machine wasn't prompting me for update installations...

Wish me luck, the infected one will be offline for the next 0.5-4 hrs...

 

[paulaerison]

Found the infection point...

6/13/2008 2:23:11 PM Would be blocked by behaviour blocking rule (rule is currently in warn mode) WACKO\pauld99 cscript.exe C:\Documents and Settings\pauld99\Local Settings\Temporary Internet Files\Content.IE5\index.dat Prevent execution of scripts from the Temp folder Action blocked :Read

That was my wife trying to get an e-card for me for fathers day :-(
I have now increased the secutity for real-time-protection... SP3 succeded, now running SBSD scan and McAffee scan...

 

[Blade81]

Hi

If you post here for help then you should do according to the instructions. If you want to clean this by yourself then go for it. If you want me to help you then you have to follow my instructions patiently without doing any solo

Please post new DSS report (main.txt is enough).

 

[paulaerison]

virus deleted ntauthority ...

users s-1-5-19 or something, so nothing worked for the better part of 2 days... I finally got it back up lat last night, and bitdefender is currently running... it's about 70% ish so far and has identified over 400 infected files of some 300k+ files (and growing).... as soon as BD is done scanning and I can put the system back online, I will re-run DSS with HJT installed and post the log... it's saying around 60hrs or so and it's been running for 15 or so as of this point...

btw, McAffee is a POJ... my faith in commercial AV software has been shattered... I used to use DrSolomons till it got bought and burried, then symantec till I got a virus, that mcaffee found and killed, then mcaffee, till now... I ran this variant through BOTH symantec and mcaffee (once it was isolated) and neither identified it... I ran it (and some variants) through Jotti, and almost all of the ones listed identified at LEAST one of the files... with BitDefender and AVG as the top dogs for hit%...

So I should be ablt to posting the log on or about sunday night or monday morning...

 

[Blade81]

Ok. Thanks for the heads up. I'll wait for your input

 

[paulaerison]

Thanks Blade...

Ok. Thanks for the heads up. I'll wait for your input

when you get a chance, if you could take a crack at the other two, I would appreciate it... The laptop is used by my wife to connect to her work using thier VPN client so it's importan that is not infected... (I think the laptop might be ok, because ad-hoc networking is disabled, and the wap that i's connected has some insanely long key)

Find all threads started by paulaerison

i'm not even plaing any computer games till this is figured out... (I'm really bored without EQ and LoN right now... I have to watch TV... uggghhh)

for those of you following this thread... never, NEVER, EVER disable your antivirus or firewall software because a website told you to do so... trust the pros (your cable company doesn't have a clue, they are not pros, their responsibility ends at your modem) olice:

 

[paulaerison]

main.txt (post bd10, 554 infections, 174 rootkits)

Deckard's System Scanner v20071014.68
Run by pauld99 on 2008-06-21 20:28:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).


-- HijackThis (run as pauld99.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:38 PM, on 6/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\devldr32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdlite.exe
C:\Windows\system32\LEXBCES.EXE
C:\Windows\system32\LEXPPS.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Windows\system32\spoolsv.exe
Z:\DOWNLOADS\Copy of dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\pauld99.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Z:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart /waitmore
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\Windows\system32\mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: SDK Tray Menu.lnk.disabled
O4 - Startup: Trillian.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: AutoStart IR.lnk.disabled
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099059536327
O17 - HKLM\System\CCS\Services\Tcpip\..\{47ECF58E-EE56-4535-A375-5BCBADE6F9B1}: NameServer = 192.168.64.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 7772 bytes

-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-21 20:14:46 98 --a----c- C:\Windows\detected.cmd
2008-06-21 19:37:52 94 --a----c- C:\Windows\bdlog.cmd
2008-06-20 08:26:02 0 d------c- C:\Windows\LastGood
2008-06-19 15:28:09 0 d------c- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\Recent
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-06-19 15:28:08 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\My Documents
2008-06-19 15:28:08 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-06-19 15:28:08 0 dr-----c- C:\Documents and Settings\Administrator\Favorites
2008-06-19 15:28:08 0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-06-19 15:28:08 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-06-19 15:28:08 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-06-19 15:28:08 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-19 15:09:28 39424 --a----c- C:\Windows\zipinst.exe <Not Verified; NirSoft; ZipInstaller>
2008-06-19 14:14:03 0 d--h---c- C:\Windows\$hf_mig$
2008-06-19 13:45:00 0 d------c- C:\Windows\Prefetch
2008-06-19 13:39:02 0 d------c- C:\Windows\l2schemas
2008-06-19 11:23:41 0 d------c- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-06-19 09:14:46 0 d------c- C:\Program Files\msn gaming zone
2008-06-18 22:58:28 0 d------c- C:\Windows\tmp
2008-06-18 15:47:36 0 d--hs--c- C:\Documents and Settings\ntadmin\Cookies
2008-06-18 15:47:15 0 dr-----c- C:\Documents and Settings\ntadmin\Favorites
2008-06-18 15:47:14 0 d------c- C:\Documents and Settings\ntadmin\Start Menu
2008-06-18 15:47:14 0 dr-h---c- C:\Documents and Settings\ntadmin\Recent
2008-06-18 15:47:14 0 d------c- C:\Documents and Settings\ntadmin\Desktop
2008-06-18 15:46:05 0 d--h---c- C:\Documents and Settings\ntadmin\Local Settings
2008-06-18 15:46:05 0 d------c- C:\Documents and Settings\ntadmin\Application Data
2008-06-18 15:46:05 0 d------c- C:\Documents and Settings\ntadmin\Application Data\Microsoft
2008-06-18 15:13:20 0 d------c- C:\Documents and Settings\aaerison\Application Data\Bitdefender
2008-06-18 13:41:33 0 d------c- C:\Documents and Settings\pauld99\Application Data\Bitdefender
2008-06-18 12:27:36 81984 --a----c- C:\Windows\system32\bdod.bin
2008-06-18 12:22:07 0 d------c- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-18 10:23:01 0 d------c- C:\Program Files\Trend Micro
2008-06-18 07:58:28 0 d------c- C:\Program Files\RegScanner
2008-06-17 21:42:31 0 d--h---c- C:\Program Files\WindowsUpdate
2008-06-17 13:36:19 118 --a----c- C:\Windows\taplog.cmd
2008-06-16 11:02:18 2359296 --ah----- C:\Documents and Settings\ntadmin\NTUSER.DAT
2008-06-15 12:35:55 0 d------c- C:\Documents and Settings\aaerison\Application Data\Macromedia
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\SendTo
2008-06-15 12:21:10 0 dr-h---c- C:\Documents and Settings\aaerison\Recent
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\PrintHood
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\NetHood
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\My Documents
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Local Settings
2008-06-15 12:21:10 0 dr-----c- C:\Documents and Settings\aaerison\Favorites
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Desktop
2008-06-15 12:21:10 0 d--hs--c- C:\Documents and Settings\aaerison\Cookies
2008-06-15 12:21:10 0 d--h---c- C:\Documents and Settings\aaerison\Application Data
2008-06-15 12:21:10 0 d---s--c- C:\Documents and Settings\aaerison\Application Data\Microsoft
2008-06-15 12:21:10 0 d------c- C:\Documents and Settings\aaerison\Application Data\Identities
2008-06-15 12:21:09 0 d--h---c- C:\Documents and Settings\aaerison\Templates
2008-06-15 12:21:09 0 d------c- C:\Documents and Settings\aaerison\Start Menu
2008-06-15 12:21:09 2359296 --ah----- C:\Documents and Settings\aaerison\NTUSER.DAT
2008-06-13 08:08:37 0 d------c- C:\Windows\system32\scripting
2008-06-13 08:08:26 0 d------c- C:\Windows\system32\en
2008-06-13 07:46:02 99 --a----c- C:\Windows\rdc.cmd
2008-05-30 09:25:29 0 d------c- C:\Documents and Settings\LocalService\Desktop
2008-05-29 12:51:18 126 --a----c- C:\Windows\regtask.cmd


-- Find3M Report ---------------------------------------------------------------

2008-06-21 20:11:57 0 d------c- C:\Documents and Settings\pauld99\Application Data\AdobeUM
2008-06-21 19:53:09 0 d------c- C:\Program Files\Dell AIO Printer A920
2008-06-20 10:38:29 0 d------c- C:\Program Files\Common Files
2008-06-20 09:58:03 95 --a----c- C:\Windows\system32\productregistry
2008-06-19 15:29:28 0 d------c- C:\Program Files\Google
2008-06-18 14:45:26 0 d------c- C:\Documents and Settings\pauld99\Application Data\Identities
2008-06-17 22:02:27 0 d------c- C:\Program Files\Microsoft Silverlight
2008-06-13 09:41:11 0 d------c- C:\Documents and Settings\pauld99\Application Data\DNA
2008-06-13 08:09:43 0 d------c- C:\Program Files\Messenger
2008-06-13 08:08:23 0 d------c- C:\Program Files\Movie Maker
2008-06-13 08:01:48 0 d------c- C:\Program Files\Windows NT
2008-05-23 06:52:01 0 d------c- C:\Documents and Settings\pauld99\Application Data\BitTorrent
2008-04-23 08:01:36 0 d------c- C:\Program Files\DNA


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [10/07/2003 09:48 AM]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM C:\WINDOWS\system32\nwiz.exe]
"Jet Detection"="c:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [11/29/2001 02:00 AM]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [06/02/2003 01:25 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [01/28/2008 11:43 AM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [08/11/2006 10:43 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [08/11/2006 10:43 PM]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [04/02/2007 04:48 PM]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [03/26/2007 03:49 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/03/2007 11:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"SchedulingAgent"=C:\Windows\system32\mstask.exe

C:\Documents and Settings\pauld99\Start Menu\Programs\Startup\
SDK Tray Menu.lnk.disabled [3/1/2007 6:50:43 PM]
Trillian.lnk.disabled [11/5/2006 5:25:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - Z:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 3:19:50 AM]
Acrobat Assistant.lnk.disabled [2/2/2007 12:53:10 PM]
Adobe Gamma Loader.exe.lnk.disabled [10/10/2006 1:12:01 AM]
AutoStart IR.lnk.disabled [11/29/2006 4:15:20 PM]
HOTSYNCSHORTCUTNAME.lnk.disabled [8/21/2007 9:21:26 PM]
Microsoft Office.lnk.disabled [2/22/2007 4:35:19 PM]
WinZip Quick Pick.lnk.disabled [1/19/2007 1:30:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"=0 (0x0)
"NoWebServices"=0 (0x0)
"NoOnlinePrintsWizard"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\Windows\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Nero DriveSpeed"=C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
"NeroCheck"=C:\Windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-21 20:33:07 ------------

 

[paulaerison]

Legit?

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

Digging through the registry brings me to a CSLID with no other info in it, digging for that CLSID pops up dozens of hits for BitDefender... Safe to assume this is legit? Jotti reports no infection... except for ArcaVir :lip: which reports {ArcaVir Found Riskware.SockSpy.A} (i'm guessing... false positive matched by name? )

File: sockspy.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 6382040502f8e7271e65a523b70f2b0a
Packers detected: -