Persistant malware issue (attempts to add BHO to IE)

Vokes · 15-12-2007 10:47am #1

Hi all. I'm having a persistent issue with some nasty looking malware on my work laptop - from doing some reading around, its guessing its Vundo? I'm hoping some smart boardsie who knows about such things can help me out!

Currently I have running Windows XP Professional, Windows Firewall, Trend Office Microscan, Spywareguard and Spywareblaster on my machine. Also, im running an old version of Java (1.4.2) - I have since updated Java to the latest version.

So far the Antivirus has quarantined (on 3 different occasions) malware (TROJ_DLOADER.QQN, TROJ_VUNDO.AAE, TROY_SMALL.CZD) which was running .exes out of folders: Windows, Temporary Internet Files, system32 and .dlls residing in User Temp folder.

Upon further investigation, I also noticed various supicious .dlls residing in the system32 folder and attempted to use VundoFix.exe to remove them, which it did. However new ones kept reappearing upon a system restart. Hmmm

Reently in the past few hours there been no further detections by Trend Antivirus. However since i've installed Spywareguard, that App is reporting repeated attempts to install a rogue Browser Helper Object into IE.

"An attempt to change Internet Explorer settings has been detected......Warning! A BHO has been added!" with the offending file being c:/windows/system32/ddccb.dll

Current things ive noticed:

There's an .exe in of the windows temp folder that I cannot delete: c:/windows/temp/HP1.EXE
Here is a list of suspicious files recently modified in my system32 folder: bccdd.ini, bccdd.ini2, NvesApps.xml, nvModes.001, FNTCACHE.DAT, ddccb.dll, tuvwxyy.dll, dwvktexes.dll, nvfmadud.ini, dudafvn.dll, obhotiic.exe
Using Process Explorer, I searched for the handle / dll string 'ddccb' and the following processes were returned: IEXPLORER, lsass.exe, firefox.exe, explorer.exe, Hjackthis.exe. A similar searches for the string 'tuvwxyy.dll' returns the processes: IEXPLORER.exe, winlogin.exe, explorer.exe. And dudamfvn.dll is attached to a whole rake of legit processes.

I can't see anything significant in the Hijack log, other then the dodgy executable running out of windows/temp.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:32:11, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\HP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by corp1 GRID
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 12299 bytes

Any help or guidance would be greatly appreciated.

Cheers.

BrendanD · 15-12-2007 11:50am

Hi you need to disable sys restore because thats why its reinstalling when you reboot, this virus/mailware is new but trend micro have updated their virus def to get rid of this , run a scan then disable system restore , reboot then re enable sys restore.http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VUNDO.AAE&VSect=Sn

Vokes · 15-12-2007 12:01pm

Yeh, I had the latest definition files from yesterday and the antivirus had managed to quarantine some yesterday with the Real Time scanner.

However, its not picking up these new ones even after a performing an Active Scan. Could it be something different now? Im not sure.

I also tried the disable System Restore thing previously but it hasn't worked so far, since ive found that not every file is getting caught.

Im guessing theres something malicious in my registry setting somewhere...

ActorSeeksJob · 15-12-2007 12:07pm

Hi you need to disable sys restore because thats why its reinstalling when you reboot

This is not the case at all. It doesn't matter whether he has system restore enabled or disabled

this virus/mailware is new but trend micro have updated their virus def to get rid of this

Trend Micro scan won't remove this infection. No anti-virus or anti-spyware program will unfortunately.

Do the following if you want to remove it

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Vokes · 15-12-2007 12:18pm

I'll do this right away. Cheers.

Vokes · 15-12-2007 1:51pm

VundoFix didn't find any infected files.

Here 's the txt file and a new Hijack log

VundoFix V6.7.0

Checking Java version...

Java version is 1.4.2.2
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 11:21:53 15/12/2007

Listing files found while scanning....

No infected files were found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:22, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\HP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by corp1 GRID
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 12057 bytes

Running DSS now.

Vokes · 15-12-2007 2:34pm

Looks like DSS found some stuff. Here is main.txt followed by extra.txt...

Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-15 13:15:53
Computer is in Normal Mode.

-- HijackThis (run as SB013944.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:59, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\HP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by corp1 GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {664961A4-2A2F-4875-B588-CBCDE602F227} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O20 - Winlogon Notify: tuvwxyy - C:\WINDOWS\SYSTEM32\tuvwxyy.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 13502 bytes

-- Files created between 2007-11-15 and 2007-12-15

2007-12-15 09:21:53 80448 --a

C:\WINDOWS\system32\dwvktexs.dll
2007-12-15 09:19:28 85568 --a

C:\WINDOWS\system32\dudamfvn.dll
2007-12-15 09:14:52 74304 --a

C:\WINDOWS\system32\obhotiic.exe <Not Verified; ; DDC>
2007-12-15 03:07:15 0 dr-h

C:\Documents and Settings\sb013944\Recent
2007-12-14 23:51:35 0 d--h

C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d

C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d

C:\Program Files\SpywareBlaster
2007-12-14 08:05:15 385509 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-14 08:05:12 324608 --a

C:\WINDOWS\system32\ddccb.dll
2007-12-14 07:01:34 0 d

C:\!KillBox
2007-12-14 06:07:43 0 d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d

C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d

C:\VundoFix Backups
2007-12-13 23:16:58 0 d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d

C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\zfd1
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\yb2
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\qui4
2007-12-13 17:14:48 40448 --a

C:\WINDOWS\system32\tuvwxyy.dll
2007-12-13 17:14:47 0 d

C:\WINDOWS\system32\ineWc01
2007-12-04 18:38:12 3596288 --a

C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a

C:\WINDOWS\system32\DivXWMPExtType.dll

-- Find3M Report

2007-12-15 11:19:19 0 d

C:\Program Files\WinTidy
2007-12-15 03:22:15 0 d

C:\Program Files\Java
2007-12-14 23:29:12 0 d

C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-14 14:23:27 0 d

C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d

C:\Program Files\Connected
2007-12-14 01:59:44 0 d

C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d

C:\Program Files\Steam
2007-12-14 01:53:44 0 d

C:\Program Files\Azureus
2007-12-14 01:42:47 0 d

C:\Program Files\Common Files
2007-12-13 21:58:38 0 d

C:\Program Files\SopCast
2007-12-12 09:07:16 141097 --a

C:\WINDOWS\system32\nvModes.dat
2007-12-10 23:08:32 0 d

C:\Program Files\DivX
2007-11-24 10:12:47 0 d

C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d

C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h

C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d

C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d

C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d

C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d

C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d

C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d

C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d

C:\Program Files\Belarc
2007-10-16 13:36:23 0 d

C:\Program Files\NHS
2007-10-16 13:24:16 0 d

C:\Program Files\Gemplus
2007-10-16 13:23:21 0 d

C:\Program Files\Omnikey
2007-10-05 06:41:48 1485 --a

C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{080C0C22-DDE6-4091-BF4A-DDE13BC03C36}]
02/08/2007 13:43 282624 --a

C:\Program Files\Common Files\hoker83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B23C23-1747-47E0-B901-E28A47D5B2B8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4904F9-B431-4715-AADD-08069C6D0641}]
02/08/2007 13:43 282624 --a

C:\Program Files\Common Files\hoker4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{664961A4-2A2F-4875-B588-CBCDE602F227}]
14/12/2007 08:05 324608 --a

C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1161889-54E1-400E-8CDE-ECEF9CD65BFA}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9A32877-5A82-4123-BE69-55D551403F88}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]
13/12/2007 17:14 40448 --a

C:\WINDOWS\system32\tuvwxyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 13:04]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"a0cc9fee"="C:\WINDOWS\system32\dudamfvn.dll" [15/12/2007 09:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [08/10/2001 05:14:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}"= C:\WINDOWS\system32\tuvwxyy.dll [13/12/2007 17:14 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwxyy]
tuvwxyy.dll 13/12/2007 17:14 40448 C:\WINDOWS\system32\tuvwxyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\ddccb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command-

\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1

-- End of Deckard's System Scanner: finished at 2007-12-15 13:16:30

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel(R) CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 2046.11 MiB / 1312.88 MiB
Pagefile Memory (total/avail): 3428.81 MiB / 2787.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.04 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 17.52 GiB free.

is CDROM (UDF1.02)
Q: is Network (Unformatted)
Z: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - Hitachi HTS541080G9SA00 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

-- Security Center

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Communicator"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe"="C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe:*:Enabled:AutoUpdateSrv Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Reflection\\rftpc.exe"="C:\\Program Files\\Reflection\\rftpc.exe:*:Enabled:Reflection FTP Client"
"C:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe"="C:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe:*:Enabled:Hummingbird Exceed 2007"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Microsoft Office Communicator 2005"
"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Temp\\HP_WebRelease\\setup\\HPZnet01.exe"="C:\\Temp\\HP_WebRelease\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Temp\\HP_WebRelease\\setup\\hponicifs01.exe"="C:\\Temp\\HP_WebRelease\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe"="C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe:*:Enabled:AutoUpdateSrv Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"C:\\WINDOWS\\system32\\nfjtjgbv.exe"="C:\\WINDOWS\\system32\\nfj"

-- Environment Variables

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\sb013944\Application Data
CLASSPATH=C:\TicketAPI\GATicket.jar;C:\Program Files\gemplus\gac\GATicket.jar;C:\Program Files\gemplus\gac\iaikPkcs11Wrapper.jar;C:\Program Files\gemplus\gac\GATicket.jar;C:\Program Files\gemplus\gac\iaikPkcs11Wrapper.jar
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CERN-SB013944-U
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\sb013944
LOGONSERVER=\\DCNALON00
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\TicketAPI;C:\Program Files\IDM Computer Solutions\UltraEdit-32;C:\PROGRA~1\Gemplus\GAC;C:\Program Files\Gemplus\GemSafe Libraries User\BIN;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\sb013944\LOCALS~1\Temp
TMP=C:\DOCUME~1\sb013944\LOCALS~1\Temp
USERDNSDOMAIN=NORTHAMERICA.CORP1.NET
USERDOMAIN=WHQ_NT_DOMAIN
USERNAME=SB013944
USERPROFILE=C:\Documents and Settings\sb013944
windir=C:\WINDOWS

-- User Profiles

stu (new local)
Administrator (admin)
sb013944 (admin)

-- Add/Remove Programs

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A99CB37-AEB0-492F-A85A-8A2536D22393}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Aventail Connect --> MsiExec.exe /I{A2A78788-2792-49BF-AF22-5E9296E568F3}
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Beyond Compare Version 2.3.1 --> "C:\Program Files\Beyond Compare 2\unins000.exe"
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
CardMan3x21 --> MsiExec.exe /X{EFB41827-DC61-4553-9326-F7871BF2EC5A}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDE for AIX Users --> C:\WINDOWS\uninst.exe -fC:\AIXUSERS\DeIsL2.isu
Communication Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3AB2F8DF-F905-44F9-8003-C81FEE95BC2B}\Setup.exe" -l0x9
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Connected DataProtector --> C:\Program Files\Connected\CBUninst.exe
Creative Media Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A99CB37-AEB0-492F-A85A-8A2536D22393}\setup.exe" -l0x9 /remove
Creative ZEN Stone User's Guide --> "C:\Program Files\Creative\Creative ZEN Stone\UGRemove.exe" /Product_Name:ZENStoneUG
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Deus Ex: Game of the Year Edition --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/6910
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
EAX4 Unified Redist --> MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
EMBASSY Security Center --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEAFE1E5-076B-430A-96D9-B567792AFA88}
EMBASSY Trust Suite by Wave Systems --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe" -l0x9
ETS Launch Pad --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{DD41AC25-61B2-4FC9-90AA-672F32139AC3} /l1033
ETS Upgrade --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{72FECEA1-E87F-4192-89FA-D0FBF92885BB}
FairUse Wizard 2 --> "C:\Program Files\FairUse Wizard 2\UnInstall_14333.exe"
Football Manager 2008 --> "C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
Fraps --> "C:\Fraps\uninstall.exe"
GemAuthenticate Client v4.0.13 --> C:\Program Files\Gemplus\GAC\gpUnInstall.exe -next C:\PROGRA~1\Gemplus\GAC\UNWISE.EXE C:\PROGRA~1\Gemplus\GAC\INSTALL.LOG
Gemplus Smart Card Reader Tools --> C:\Program Files\Gemplus\ReaderTools\Installer\setup.exe /u
GemSafe Libraries 4.2.0 SP2 Patch 4202-829 User for NHS --> MsiExec.exe /X{A54453DD-9408-45B2-B179-9BBD83498249}
GT HSDPA driver installer --> MsiExec.exe /X{BB3B4056-4539-485E-A996-3B52480AA4B7}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{5544807E-896D-4585-84FF-60763E5BC022}\setup\hpzscr01.exe" -datfile hposcr06.dat
Huawei E620 PC Card --> C:\Program Files\Huawei E620 PC Card\Huawei E620 PC Card Uninstall.exe
Hummingbird Exceed 2007 --> MsiExec.exe /I{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}
IBAN-Calculator --> "C:\Program Files\IBAN-Calculator\UNINSTAL.EXE" "C:\Program Files\IBAN-Calculator\INSTALL.LOG" "IBAN-Calculator Uninstall"
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPassConnect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6FFA58-F491-11D3-8951-000000031484}\setup.exe"
Java 2 Runtime Environment, SE v1.4.2_02 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142020}
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
MediaMonkey 2.5 --> "C:\Program Files\MediaMonkey\unins000.exe"
Memo Pad (remove only) --> C:\Program Files\Memo Pad\uninstall.exe
MetaFrame Presentation Server Client --> MsiExec.exe /I{D989BCC0-757C-4FB6-893C-512DF4382656}
Microsoft Office Communicator 2005 --> MsiExec.exe /X{BE5AD430-9E0C-4243-AB3F-593835869855}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{7279647E-8661-48DF-998E-E7DCC3E6955D}
Microsoft Office Live Meeting Add-in Pack --> MsiExec.exe /I{7CEF4888-F872-46D9-B2A1-0D8723525D40}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Standard 2003 --> MsiExec.exe /I{90530409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2003 (English) --> MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Nokia_PC_Suite_683_rel_14_1_eng.exe /LANG="2057"
Nokia PC Suite --> MsiExec.exe /I{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}
Nokia Software Updater --> MsiExec.exe /X{20BCD471-7897-481D-ACF2-CB9BABF6A6CF}
Novatel 700/800 driver --> C:\WINDOWS\Novatel_700_800_PCCardInstallerUninstall.exe
NTRU Hybrid TSS v2.0.25 --> MsiExec.exe /I{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Odyssey --> MsiExec.exe /I{80664F8A-117F-4F0C-B8C9-E0E7B112AA7D}
Option GT HSDPA driver suite --> C:\WINDOWS\OptionPluss_PCCardInstallerUninstall.exe
Option HSDPA GTMax 7.2 Express Card driver --> C:\WINDOWS\OptionHsdpaGTMax72ExpressInstallerUninstall.exe
Option PC Cards driver package --> C:\WINDOWS\OptionPCCardInstallerUninstall.exe
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
PC Connectivity Solution --> MsiExec.exe /I{066D65EA-ED53-44E4-A96A-F81B6E409D2E}
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Preboot Manager --> MsiExec.exe /I{EE2EE62C-E27D-486A-AF6D-FA4A06E67476}
Private Information Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0B0A2153-58A6-4244-B458-25EDF5FCD809} /l1033
Pro Evolution Soccer 2008 --> C:\Program Files\InstallShield Installation Information\{2FDFD600-7338-4738-90D5-FC4ACA08DC36}\setup.exe -runfromtemp -l0x0409
QuickTime Alternative 1.81 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Secure Update --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D1E829E9-88B8-47C6-A75E-0D40E2C09D50} /l1033
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Wizards --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4} /l1033
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sony Ericsson GCXX (75/79/82/83/85/89) --> C:\WINDOWS\sem_GCXXUninstall.exe
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
UltraEdit-32 --> "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uninstall.exe" "C:\Program Files\IDM Computer Solutions\UltraEdit-32\ueinstall.log"
upekmsi --> MsiExec.exe /I{BE40EC9E-9466-4288-916D-C1D6C13F4A40}
Vodafone Text Centre --> C:\Program Files\VodafonetextcentreO\Uninstall.exe
Wave Infrastructure Installer --> MsiExec.exe /I{CDD4761A-3D3F-4487-9AAF-7855A36E0D31}
Wave Support Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{07D618CD-B016-438A-ADC9-A75BD23F85CE} /l1033
Windows Desktop Search --> "C:\WINDOWS\$NtUninstallKB911993-V2$\spuninst\spuninst.exe"
Windows Driver Package - Intel (NETw4x32) net (04/30/2007 11.1.1.11) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4x32_B8E7181C5675973E1CF9EA17CB3EB24902DDC2D9\netw4x32.inf
Windows Driver Package - Intel (NETw4x32) net (08/08/2007 11.1.1.22) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4x32_919C79DF0034FFA603278F766D30F0461D896501\netw4x32.inf
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Messenger 5.1 --> MsiExec.exe /I{8419C98D-6818-443B-9362-156519FE4C6B}
Windows Vista Upgrade Advisor --> MsiExec.exe /I{B79FBFDD-8B0C-4B8E-B70E-499E39978281}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinTidy 1.0.11 --> "C:\Program Files\WinTidy\unins000.exe"
WinZip --> "C:\PROGRA~1\WinZip\WINZIP32.EXE" /uninstall
Wireshark 0.99.4 --> "C:\Program Files\Wireshark\uninstall.exe"
WRQ Reflection for UNIX and OpenVMS 10.0 --> MsiExec.exe /I{807B1E67-FF69-4170-A835-E4B2C8A1D389}
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"

-- Application Event Log

Event Record #/Type18477 / Error
Event Submitted/Written: 12/15/2007 09:13:51 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type18476 / Warning
Event Submitted/Written: 12/15/2007 09:13:48 AM
Event ID/Source: 32066 / Microsoft Fax
Event Description:
At least one of the devices in the outgoing routing group is not valid.
Group name: '<All devices>'

Event Record #/Type18475 / Error
Event Submitted/Written: 12/15/2007 09:13:16 AM / 12/15/2007 09:13:19 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\insmswhq01\SMSClient\i386\client.vbs. The network path was not found.
.

Event Record #/Type18473 / Error
Event Submitted/Written: 12/15/2007 09:12:33 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type18472 / Error
Event Submitted/Written: 12/15/2007 09:12:33 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

-- Security Event Log

No Errors/Warnings found.

-- System Event Log

Event Record #/Type89443 / Error
Event Submitted/Written: 12/15/2007 00:57:53 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 239 minutes.
NtpClient has no source of accurate time.

Event Record #/Type89442 / Warning
Event Submitted/Written: 12/15/2007 00:57:53 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 240 minutes.

Event Record #/Type89440 / Warning
Event Submitted/Written: 12/15/2007 00:14:11 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns01.corp1.com. No authentication protocol was available.

Event Record #/Type89439 / Warning
Event Submitted/Written: 12/15/2007 00:14:11 PM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/ns01.corp1.com. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

Event Record #/Type89438 / Warning
Event Submitted/Written: 12/15/2007 11:14:00 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns01.corp1.com. No authentication protocol was available.

-- End of Deckard's System Scanner: finished at 2007-12-15 12:58:33

Any ideas? Thanks again for your help.

ActorSeeksJob · 15-12-2007 4:56pm

Delete your version of VundoFix.exe and do the following

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
Select "Add More Files?" from the menu that comes up.
This will open a new VundoFix window that says "Paste files into the boxes below:"
In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\ddccb.dll
Now copy and paste the following file path in the second field:
C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll
Click the 'Add Files' button.
Click the 'Close Window' button.
Click the 'Remove Vundo' button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot
.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll
O2 - BHO: (no name) - {664961A4-2A2F-4875-B588-CBCDE602F227} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O20 - Winlogon Notify: tuvwxyy - C:\WINDOWS\SYSTEM32\tuvwxyy.dll

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Please download OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll
C:\WINDOWS\system32\ddccb.dll
C:\Program Files\Common Files\hoker4444.dll
C:\Program Files\Common Files\hoker83122.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Finally

Go to Start > Control Panel > Add or Remove Programs > Remove

Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_04

Reboot and post back with a new DSS log

Vokes · 15-12-2007 7:00pm

OK

ActorSeeksJob wrote: »

Delete your version of VundoFix.exe and do the following

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.

Select "Add More Files?" from the menu that comes up.

This will open a new VundoFix window that says "Paste files into the boxes below:"

In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\ddccb.dll

Now copy and paste the following file path in the second field:
C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll

Click the 'Add Files' button.

Click the 'Close Window' button.

Click the 'Remove Vundo' button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot
.

Ok, tried this. The 1st and 3rd dll filess were successfully deleted but the 2nd one, VundoFix was unable to delete. Here is the vundifix.txt. I tried several times over after reboots.

VundoFix V6.7.3

Checking Java version...

Java version is 1.4.2.2
Old versions of java are exploitable and should be removed.

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 16:04:23 15/12/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dudamfvn.dll
C:\WINDOWS\system32\dudamfvn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

----

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll
O2 - BHO: (no name) - {664961A4-2A2F-4875-B588-CBCDE602F227} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O20 - Winlogon Notify: tuvwxyy - C:\WINDOWS\SYSTEM32\tuvwxyy.dll

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Only the O4 entry appeared for the system scan only, for which I selected Fix Checked. The O2 and O20 entries did not appear in the scan. Any ideas?

---

Please download OTMoveIt by OldTimer.
Save it to your desktop.

Please double-click OTMoveIt.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll
C:\WINDOWS\system32\ddccb.dll
C:\Program Files\Common Files\hoker4444.dll
C:\Program Files\Common Files\hoker83122.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\tuvwxyy.dll
C:\WINDOWS\SYSTEM32\tuvwxyy.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\tuvwxyy.dll moved successfully.
File/Folder C:\WINDOWS\system32\dudamfvn.dll not found.
File/Folder C:\WINDOWS\system32\ddccb.dll not found.
DllUnregisterServer procedure not found in C:\Program Files\Common Files\hoker4444.dll
C:\Program Files\Common Files\hoker4444.dll NOT unregistered.
C:\Program Files\Common Files\hoker4444.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Common Files\hoker83122.dll
C:\Program Files\Common Files\hoker83122.dll NOT unregistered.
C:\Program Files\Common Files\hoker83122.dll moved successfully.

Created on 12/15/2007 17:25:40

----

Finally

Go to Start > Control Panel > Add or Remove Programs > Remove

Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_04

Done!

Vokes · 15-12-2007 7:11pm

Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-15 18:02:17
Computer is in Normal Mode.

-- HijackThis (run as SB013944.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:43, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\TEMP\NJ929B.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {3B964CA1-17F7-4AAA-B017-45779FE5D454} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 13430 bytes

-- Files created between 2007-11-15 and 2007-12-15

2007-12-15 16:59:23 10900 --ahs---- C:\WINDOWS\system32\onnmp.ini2
2007-12-15 16:59:00 334848 --a

C:\WINDOWS\system32\pmnno.dll
2007-12-15 09:21:53 80448 --a

C:\WINDOWS\system32\dwvktexs.dll
2007-12-15 09:14:52 74304 --a

C:\WINDOWS\system32\obhotiic.exe <Not Verified; ; DDC>
2007-12-15 03:07:15 0 dr-h

C:\Documents and Settings\sb013944\Recent
2007-12-14 23:51:35 0 d--h

C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d

C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d

C:\Program Files\SpywareBlaster
2007-12-14 08:05:15 385717 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-14 07:01:34 0 d

C:\!KillBox
2007-12-14 06:07:43 0 d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d

C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d

C:\VundoFix Backups
2007-12-13 23:16:58 0 d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d

C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\zfd1
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\yb2
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\qui4
2007-12-13 17:14:47 0 d

C:\WINDOWS\system32\ineWc01
2007-12-04 18:38:12 3596288 --a

C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a

C:\WINDOWS\system32\DivXWMPExtType.dll

-- Find3M Report

2007-12-15 17:25:40 0 d

C:\Program Files\Common Files
2007-12-15 14:37:52 141073 --a

C:\WINDOWS\system32\nvModes.dat
2007-12-15 11:19:19 0 d

C:\Program Files\WinTidy
2007-12-15 03:22:15 0 d

C:\Program Files\Java
2007-12-14 23:29:12 0 d

C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-14 14:23:27 0 d

C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d

C:\Program Files\Connected
2007-12-14 01:59:44 0 d

C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d

C:\Program Files\Steam
2007-12-14 01:53:44 0 d

C:\Program Files\Azureus
2007-12-13 21:58:38 0 d

C:\Program Files\SopCast
2007-12-10 23:08:32 0 d

C:\Program Files\DivX
2007-11-24 10:12:47 0 d

C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d

C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h

C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d

C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d

C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d

C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d

C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d

C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d

C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d

C:\Program Files\Belarc
2007-10-16 13:36:23 0 d

C:\Program Files\NHS
2007-10-16 13:24:16 0 d

C:\Program Files\Gemplus
2007-10-16 13:23:21 0 d

C:\Program Files\Omnikey
2007-10-05 06:41:48 1485 --a

C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{080C0C22-DDE6-4091-BF4A-DDE13BC03C36}]
C:\Program Files\Common Files\hoker83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B23C23-1747-47E0-B901-E28A47D5B2B8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B964CA1-17F7-4AAA-B017-45779FE5D454}]
15/12/2007 16:59 334848 --a

C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4904F9-B431-4715-AADD-08069C6D0641}]
C:\Program Files\Common Files\hoker4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1161889-54E1-400E-8CDE-ECEF9CD65BFA}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9A32877-5A82-4123-BE69-55D551403F88}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]
C:\WINDOWS\system32\tuvwxyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 13:04]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [08/10/2001 05:14:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}"= C:\WINDOWS\system32\tuvwxyy.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command-

\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1

-- End of Deckard's System Scanner: finished at 2007-12-15 18:03:48

Hmmm, so there's some new .dlls created ? Use VundoFix on these too ?

Again, thanks for the help.

ActorSeeksJob · 15-12-2007 7:39pm

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
Select "Add More Files?" from the menu that comes up.
This will open a new VundoFix window that says "Paste files into the boxes below:"
In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\pmnno.dll
Click the 'Add Files' button.
Click the 'Close Window' button.
Click the 'Remove Vundo' button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot
.

You need to do the following from DSS, and not HijackThis

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {3B964CA1-17F7-4AAA-B017-45779FE5D454} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Reboot and post a new DSS log

Vokes · 15-12-2007 8:33pm

ActorSeeksJob wrote: »

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.

Select "Add More Files?" from the menu that comes up.

This will open a new VundoFix window that says "Paste files into the boxes below:"

In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\pmnno.dll

Click the 'Add Files' button.

Click the 'Close Window' button.

Click the 'Remove Vundo' button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot
.

The vundofix.txt :

Scan started at 18:46:24 15/12/2007

Listing files found while scanning....

C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini2
C:\windows\system32\pmnno.dll

Beginning removal...

Attempting to delete C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini Has been deleted!

Attempting to delete C:\windows\system32\onnmp.ini2
C:\windows\system32\onnmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\pmnno.dll
C:\windows\system32\pmnno.dll Has been deleted!

Performing Repairs to the registry.
Done!

The HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:12, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\IJ7777.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 13051 bytes

You need to do the following from DSS, and not HijackThis

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {3B964CA1-17F7-4AAA-B017-45779FE5D454} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Would you be able to clarify part 1 of this again? When I run DSS.exe it merely generates the log files - it doesn't offer my the HijackThis.exe service to select and fix those entries. Or shall I only use HijackThis.exe as the O2 entries are now appearing there?

Cheers

ActorSeeksJob · 15-12-2007 9:44pm

Just use HijackThis then and do the following

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Then reboot and run DSS again and post the log here

Vokes · 15-12-2007 9:46pm

OK, well i went ahead and used HijackThis.exe to remove the 02 entries, and it appears to have done the trick. Things are starting to look better. SpywareGuard no longer reports any rogue BHO installations.

I've since rebooted and here is the main.txt of the most recent DSS scan:

Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-15 20:32:34
Computer is in Normal Mode.

-- HijackThis (run as SB013944.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:43, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JHC018.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 12714 bytes

-- Files created between 2007-11-15 and 2007-12-15

2007-12-15 09:21:53 80448 --a

C:\WINDOWS\system32\dwvktexs.dll
2007-12-15 09:14:52 74304 --a

C:\WINDOWS\system32\obhotiic.exe <Not Verified; ; DDC>
2007-12-15 03:07:15 0 dr-h

C:\Documents and Settings\sb013944\Recent
2007-12-14 23:51:35 0 d--h

C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d

C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d

C:\Program Files\SpywareBlaster
2007-12-14 08:05:15 385717 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-14 07:01:34 0 d

C:\!KillBox
2007-12-14 06:07:43 0 d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d

C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d

C:\VundoFix Backups
2007-12-13 23:16:58 0 d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d

C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\zfd1
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\yb2
2007-12-13 17:15:56 0 d

C:\WINDOWS\system32\qui4
2007-12-13 17:14:47 0 d

C:\WINDOWS\system32\ineWc01
2007-12-04 18:38:12 3596288 --a

C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a

C:\WINDOWS\system32\DivXWMPExtType.dll

-- Find3M Report

2007-12-15 20:29:51 0 d

C:\Program Files\WinTidy
2007-12-15 17:25:40 0 d

C:\Program Files\Common Files
2007-12-15 14:37:52 141073 --a

C:\WINDOWS\system32\nvModes.dat
2007-12-15 03:22:15 0 d

C:\Program Files\Java
2007-12-14 23:29:12 0 d

C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-14 14:23:27 0 d

C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d

C:\Program Files\Connected
2007-12-14 01:59:44 0 d

C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d

C:\Program Files\Steam
2007-12-14 01:53:44 0 d

C:\Program Files\Azureus
2007-12-13 21:58:38 0 d

C:\Program Files\SopCast
2007-12-10 23:08:32 0 d

C:\Program Files\DivX
2007-11-24 10:12:47 0 d

C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d

C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h

C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d

C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d

C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d

C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d

C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d

C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d

C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d

C:\Program Files\Belarc
2007-10-16 13:36:23 0 d

C:\Program Files\NHS
2007-10-16 13:24:16 0 d

C:\Program Files\Gemplus
2007-10-16 13:23:21 0 d

C:\Program Files\Omnikey
2007-10-05 06:41:48 1485 --a

C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 13:04]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [08/10/2001 05:14:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command-

\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1

-- End of Deckard's System Scanner: finished at 2007-12-15 20:33:00

Are the .exe and files ive marked in red something we need to remove? The .exe specifically seems to change name after every reboot and its creation date is always more recent then its 'modified date'.

ActorSeeksJob · 17-12-2007 12:56am

Yep those are bad files. I was going to leave them till the end cause Vundo respawns itself until you unhook it

By the way are you being helped somewhere else?

Please download OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\dwvktexs.dll
C:\WINDOWS\system32\obhotiic.exe
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\qui4
C:\WINDOWS\system32\ineWc01
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00

Then double click on the fix.reg file, when it prompts to merge click "Yes".

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Then send me a new DSS log and tell me how your PC is running now

Vokes · 17-12-2007 4:31am

ActorSeeksJob wrote: »

Yep those are bad files. I was going to leave them till the end cause Vundo respawns itself until you unhook it

By the way are you being helped somewhere else?

Hi, no, its only yourself helping me - have I done one of the steps wrong? I had originally posted for help on byteforum.com (I saw your reply there btw

) and also bleedingcomputer.com, but those guys appear to have a large backlog of cases to get through before mine).

Please download OTMoveIt by OldTimer.
Save it to your desktop.

Please double-click OTMoveIt.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\dwvktexs.dll
C:\WINDOWS\system32\obhotiic.exe
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\qui4
C:\WINDOWS\system32\ineWc01

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

DllUnregisterServer procedure not found in C:\WINDOWS\system32\dwvktexs.dll
C:\WINDOWS\system32\dwvktexs.dll NOT unregistered.
C:\WINDOWS\system32\dwvktexs.dll moved successfully.
C:\WINDOWS\system32\obhotiic.exe moved successfully.
C:\WINDOWS\system32\bccdd.ini2 moved successfully.
C:\WINDOWS\system32\zfd1 moved successfully.
C:\WINDOWS\system32\yb2 moved successfully.
C:\WINDOWS\system32\qui4 moved successfully.
C:\WINDOWS\system32\ineWc01 moved successfully.

Created on 12/17/2007 00:11:54

Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php

For version with the Installer:
Use the setup program to install ERUNT on your computer

For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Then double click on the fix.reg file, when it prompts to merge click "Yes".

Done!

Download and scan with SUPERAntiSpyware Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.

An icon will be created on your desktop. Double-click that icon to launch the program.

If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

Under "Configuration and Preferences", click the Preferences button.

Click the Scanning Control tab.

Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.

Scan for tracking cookies.

Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen.

Back on the main screen, under "Scan for Harmful Software" click Scan your computer.

On the left, make sure you check C:\Fixed Drive.

On the right, under "Complete Scan", choose Perform Complete Scan.

Click "Next" to start the scan. Please be patient while it scans your computer.

After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".

Make sure everything has a checkmark next to it and click "Next".

A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.

If asked if you want to reboot, click "Yes".

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.

Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.

Please copy and paste the Scan Log results in your next reply.

Click Close to exit the program.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/17/2007 at 02:34 AM

Application Version : 3.9.1008

Core Rules Database Version : 3362
Trace Rules Database Version: 1361

Scan type : Complete Scan
Total Scan Time : 02:03:02

Memory items scanned : 633
Memory threats detected : 0
Registry items scanned : 7046
Registry threats detected : 5
File items scanned : 94541
File threats detected : 15

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}
HKCR\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}
HKCR\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}\InprocServer32
HKCR\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCB.DLL

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}

Adware.Vundo-Variant
C:\!KILLBOX\JKKLL.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP6\A0000574.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP8\A0001105.DLL

Adware.Vundo-Variant/Small
C:\!KILLBOX\TUVWXYY.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\TUVWXYY.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP6\A0000575.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\DWVKTEXS.DLL

Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP8\A0001100.EXE
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\OBHOTIIC.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

Unclassified.Unknown Origin
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\COMMON FILES\HOKER4444.DLL
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\COMMON FILES\HOKER83122.DLL

Trojan.Downloader-Gen/BundleBase
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\INEWC01\INEWC011065.EXE

Trojan.Unknown Origin
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\QUI4\QOPRE83122.EXE

Then send me a new DSS log and tell me how your PC is running now

The DSS log:

Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-17 03:02:09
Computer is in Normal Mode.

-- HijackThis (run as SB013944.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:02:18, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\TEMP\NLD146.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 12775 bytes

-- Files created between 2007-11-17 and 2007-12-17

2007-12-17 02:54:30 0 dr-h

C:\Documents and Settings\sb013944\Recent
2007-12-17 00:28:44 0 d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-17 00:28:29 0 d

C:\Program Files\SUPERAntiSpyware
2007-12-17 00:28:29 0 d

C:\Documents and Settings\sb013944\Application Data\SUPERAntiSpyware.com
2007-12-17 00:27:51 0 d

C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 23:51:35 0 d--h

C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d

C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d

C:\Program Files\SpywareBlaster
2007-12-14 07:01:34 0 d

C:\!KillBox
2007-12-14 06:07:43 0 d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d

C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d

C:\VundoFix Backups
2007-12-13 23:16:58 0 d

C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d

C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-04 18:38:12 3596288 --a

C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a

C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a

C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a

C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a

C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a

C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a

C:\WINDOWS\system32\DivXWMPExtType.dll

-- Find3M Report

2007-12-17 02:53:09 0 d

C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-17 00:27:51 0 d

C:\Program Files\Common Files
2007-12-15 20:29:51 0 d

C:\Program Files\WinTidy
2007-12-15 14:37:52 141073 --a

C:\WINDOWS\system32\nvModes.dat
2007-12-15 03:22:15 0 d

C:\Program Files\Java
2007-12-14 14:23:27 0 d

C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d

C:\Program Files\Connected
2007-12-14 01:59:44 0 d

C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d

C:\Program Files\Steam
2007-12-14 01:53:44 0 d

C:\Program Files\Azureus
2007-12-13 21:58:38 0 d

C:\Program Files\SopCast
2007-12-10 23:08:32 0 d

C:\Program Files\DivX
2007-11-24 10:12:47 0 d

C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d

C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h

C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d

C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d

C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d

C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d

C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d

C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d

C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d

C:\Program Files\Belarc
2007-10-05 06:41:48 1485 --a

C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db

-- Registry Dump

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [22/11/2007 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21/06/2007 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command-

\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1

-- End of Deckard's System Scanner: finished at 2007-12-17 03:02:34

There's still that dodgy .exe running out of Windows temp. What is it?

I think it changes filename after every reboot.

As regards the performance of the computer - well, not too bad! One of the more noticeable things in recent days was that that the Windows Desktop was taking an age to appear after every reboot. However it's pretty much instantaneous now since running Superantispyware. Also, programs like MS Word and Firefox are also starting up faster now. I'm guessing this virus was hogging some system resources / memory?

ActorSeeksJob · 17-12-2007 11:08am

Hello

and also bleedingcomputer.com,

If you could please post in the topic you made over there and tell them you are getting help here so they can close it, just so you don't have somebody else helping you as well as it will waste their time, and like you said there are a lot of logs for them

Yes Vundo trojan can really damage your PC speed. We are nearly done now.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-clickATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

ClickFirefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser

ClickOpera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Reboot and post a new DSS log after that

Vokes · 17-12-2007 11:58am

ActorSeeksJob wrote: »

If you could please post in the topic you made over there and tell them you are getting help here so they can close it, just so you don't have somebody else helping you as well as it will waste their time, and like you said there are a lot of logs for them

Hey, good morning

OK, i've gone ahead and posted over there requesting for that thread to be closed.

Again, thanks a lot for your help. Everything is looking good so far.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click
ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click
Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click
Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Done!

Reboot and post a new DSS log after that

The DSS log:

Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-17 10:52:16
Computer is in Normal Mode.

-- HijackThis (run as SB013944.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:19, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\WINDOWS\TEMP\VWE324.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 12685 bytes

-- Files created between 2007-11-17 and 2007-12-17

2007-12-17 10:33:47 0 d

C:\WINDOWS\LastGood
2007-12-17 10:23:28 0 dr-h