Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
Persistant malware issue (attempts to add BHO to IE)
-
15-12-2007 10:47amHi all. I'm having a persistent issue with some nasty looking malware on my work laptop - from doing some reading around, its guessing its Vundo? I'm hoping some smart boardsie who knows about such things can help me out!
Currently I have running Windows XP Professional, Windows Firewall, Trend Office Microscan, Spywareguard and Spywareblaster on my machine. Also, im running an old version of Java (1.4.2) - I have since updated Java to the latest version.
So far the Antivirus has quarantined (on 3 different occasions) malware (TROJ_DLOADER.QQN, TROJ_VUNDO.AAE, TROY_SMALL.CZD) which was running .exes out of folders: Windows, Temporary Internet Files, system32 and .dlls residing in User Temp folder.
Upon further investigation, I also noticed various supicious .dlls residing in the system32 folder and attempted to use VundoFix.exe to remove them, which it did. However new ones kept reappearing upon a system restart. Hmmm
Reently in the past few hours there been no further detections by Trend Antivirus. However since i've installed Spywareguard, that App is reporting repeated attempts to install a rogue Browser Helper Object into IE.
"An attempt to change Internet Explorer settings has been detected......Warning! A BHO has been added!" with the offending file being c:/windows/system32/ddccb.dll
Current things ive noticed:- There's an .exe in of the windows temp folder that I cannot delete: c:/windows/temp/HP1.EXE
- Here is a list of suspicious files recently modified in my system32 folder: bccdd.ini, bccdd.ini2, NvesApps.xml, nvModes.001, FNTCACHE.DAT, ddccb.dll, tuvwxyy.dll, dwvktexes.dll, nvfmadud.ini, dudafvn.dll, obhotiic.exe
- Using Process Explorer, I searched for the handle / dll string 'ddccb' and the following processes were returned: IEXPLORER, lsass.exe, firefox.exe, explorer.exe, Hjackthis.exe. A similar searches for the string 'tuvwxyy.dll' returns the processes: IEXPLORER.exe, winlogin.exe, explorer.exe. And dudamfvn.dll is attached to a whole rake of legit processes.
I can't see anything significant in the Hijack log, other then the dodgy executable running out of windows/temp.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:32:11, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\HP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by corp1 GRID
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 12299 bytes
Any help or guidance would be greatly appreciated.
Cheers.0
Comments
-
Hi you need to disable sys restore because thats why its reinstalling when you reboot, this virus/mailware is new but trend micro have updated their virus def to get rid of this , run a scan then disable system restore , reboot then re enable sys restore.http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VUNDO.AAE&VSect=Sn0
-
Yeh, I had the latest definition files from yesterday and the antivirus had managed to quarantine some yesterday with the Real Time scanner.
However, its not picking up these new ones even after a performing an Active Scan. Could it be something different now? Im not sure.
I also tried the disable System Restore thing previously but it hasn't worked so far, since ive found that not every file is getting caught.
Im guessing theres something malicious in my registry setting somewhere...0 -
Hi you need to disable sys restore because thats why its reinstalling when you rebootthis virus/mailware is new but trend micro have updated their virus def to get rid of this
Do the following if you want to remove it
Please download VundoFix.exe to your desktop- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Please download Deckard's System Scanner (DSS) and save it to your Desktop.- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
- When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
0 -
I'll do this right away. Cheers.0
-
VundoFix didn't find any infected files.
Here 's the txt file and a new Hijack log
VundoFix V6.7.0
Checking Java version...
Java version is 1.4.2.2
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 11:21:53 15/12/2007
Listing files found while scanning....
No infected files were found.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:22, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\HP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by corp1 GRID
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 12057 bytes
Running DSS now.0 -
Advertisement
-
Looks like DSS found some stuff. Here is main.txt followed by extra.txt...
Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-15 13:15:53
Computer is in Normal Mode.
-- HijackThis (run as SB013944.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15:59, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\TEMP\HP1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by corp1 GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {664961A4-2A2F-4875-B588-CBCDE602F227} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O20 - Winlogon Notify: tuvwxyy - C:\WINDOWS\SYSTEM32\tuvwxyy.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 13502 bytes
-- Files created between 2007-11-15 and 2007-12-15
2007-12-15 09:21:53 80448 --a
C:\WINDOWS\system32\dwvktexs.dll
2007-12-15 09:19:28 85568 --a
C:\WINDOWS\system32\dudamfvn.dll
2007-12-15 09:14:52 74304 --a
C:\WINDOWS\system32\obhotiic.exe <Not Verified; ; DDC>
2007-12-15 03:07:15 0 dr-h
C:\Documents and Settings\sb013944\Recent
2007-12-14 23:51:35 0 d--h
C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d
C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d
C:\Program Files\SpywareBlaster
2007-12-14 08:05:15 385509 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-14 08:05:12 324608 --a
C:\WINDOWS\system32\ddccb.dll
2007-12-14 07:01:34 0 d
C:\!KillBox
2007-12-14 06:07:43 0 d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d
C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d
C:\VundoFix Backups
2007-12-13 23:16:58 0 d
C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d
C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\zfd1
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\yb2
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\qui4
2007-12-13 17:14:48 40448 --a
C:\WINDOWS\system32\tuvwxyy.dll
2007-12-13 17:14:47 0 d
C:\WINDOWS\system32\ineWc01
2007-12-04 18:38:12 3596288 --a
C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a
C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a
C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a
C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a
C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a
C:\WINDOWS\system32\DivXWMPExtType.dll
-- Find3M Report
2007-12-15 11:19:19 0 d
C:\Program Files\WinTidy
2007-12-15 03:22:15 0 d
C:\Program Files\Java
2007-12-14 23:29:12 0 d
C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-14 14:23:27 0 d
C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d
C:\Program Files\Connected
2007-12-14 01:59:44 0 d
C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d
C:\Program Files\Steam
2007-12-14 01:53:44 0 d
C:\Program Files\Azureus
2007-12-14 01:42:47 0 d
C:\Program Files\Common Files
2007-12-13 21:58:38 0 d
C:\Program Files\SopCast
2007-12-12 09:07:16 141097 --a
C:\WINDOWS\system32\nvModes.dat
2007-12-10 23:08:32 0 d
C:\Program Files\DivX
2007-11-24 10:12:47 0 d
C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d
C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h
C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d
C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d
C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d
C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d
C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d
C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d
C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d
C:\Program Files\Belarc
2007-10-16 13:36:23 0 d
C:\Program Files\NHS
2007-10-16 13:24:16 0 d
C:\Program Files\Gemplus
2007-10-16 13:23:21 0 d
C:\Program Files\Omnikey
2007-10-05 06:41:48 1485 --a
C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{080C0C22-DDE6-4091-BF4A-DDE13BC03C36}]
02/08/2007 13:43 282624 --a
C:\Program Files\Common Files\hoker83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B23C23-1747-47E0-B901-E28A47D5B2B8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4904F9-B431-4715-AADD-08069C6D0641}]
02/08/2007 13:43 282624 --a
C:\Program Files\Common Files\hoker4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{664961A4-2A2F-4875-B588-CBCDE602F227}]
14/12/2007 08:05 324608 --a
C:\WINDOWS\system32\ddccb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1161889-54E1-400E-8CDE-ECEF9CD65BFA}]
C:\WINDOWS\system32\jkkll.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9A32877-5A82-4123-BE69-55D551403F88}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]
13/12/2007 17:14 40448 --a
C:\WINDOWS\system32\tuvwxyy.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 13:04]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
"a0cc9fee"="C:\WINDOWS\system32\dudamfvn.dll" [15/12/2007 09:19]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [08/10/2001 05:14:20]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}"= C:\WINDOWS\system32\tuvwxyy.dll [13/12/2007 17:14 40448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwxyy]
tuvwxyy.dll 13/12/2007 17:14 40448 C:\WINDOWS\system32\tuvwxyy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\ddccb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- \autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1
-- End of Deckard's System Scanner: finished at 2007-12-15 13:16:30
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Genuine Intel(R) CPU T2400 @ 1.83GHz
CPU 1: Genuine Intel(R) CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 2046.11 MiB / 1312.88 MiB
Pagefile Memory (total/avail): 3428.81 MiB / 2787.37 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.04 MiB
C: is Fixed (NTFS) - 74.53 GiB total, 17.52 GiB free.
is CDROM (UDF1.02)
Q: is Network (Unformatted)
Z: is Network (Unformatted)
\\.\PHYSICALDRIVE0 - Hitachi HTS541080G9SA00 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:
-- Security Center
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Communicator"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe"="C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe:*:Enabled:AutoUpdateSrv Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Reflection\\rftpc.exe"="C:\\Program Files\\Reflection\\rftpc.exe:*:Enabled:Reflection FTP Client"
"C:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe"="C:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe:*:Enabled:Hummingbird Exceed 2007"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Microsoft Office Communicator 2005"
"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Temp\\HP_WebRelease\\setup\\HPZnet01.exe"="C:\\Temp\\HP_WebRelease\\setup\\HPZnet01.exe:*:Enabled:hpznet01.exe"
"C:\\Temp\\HP_WebRelease\\setup\\hponicifs01.exe"="C:\\Temp\\HP_WebRelease\\setup\\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe"="C:\\Program Files\\T-Mobile\\Communication Center\\AutoUpdateSrv.exe:*:Enabled:AutoUpdateSrv Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"C:\\WINDOWS\\system32\\nfjtjgbv.exe"="C:\\WINDOWS\\system32\\nfj"
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\sb013944\Application Data
CLASSPATH=C:\TicketAPI\GATicket.jar;C:\Program Files\gemplus\gac\GATicket.jar;C:\Program Files\gemplus\gac\iaikPkcs11Wrapper.jar;C:\Program Files\gemplus\gac\GATicket.jar;C:\Program Files\gemplus\gac\iaikPkcs11Wrapper.jar
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CERN-SB013944-U
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\sb013944
LOGONSERVER=\\DCNALON00
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\PC Connectivity Solution\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\TicketAPI;C:\Program Files\IDM Computer Solutions\UltraEdit-32;C:\PROGRA~1\Gemplus\GAC;C:\Program Files\Gemplus\GemSafe Libraries User\BIN;C:\Program Files\Wave Systems Corp\Dell Preboot Manager\Access Client\v5\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\sb013944\LOCALS~1\Temp
TMP=C:\DOCUME~1\sb013944\LOCALS~1\Temp
USERDNSDOMAIN=NORTHAMERICA.CORP1.NET
USERDOMAIN=WHQ_NT_DOMAIN
USERNAME=SB013944
USERPROFILE=C:\Documents and Settings\sb013944
windir=C:\WINDOWS
-- User Profiles
stu (new local)
Administrator (admin)
sb013944 (admin)
-- Add/Remove Programs
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A99CB37-AEB0-492F-A85A-8A2536D22393}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Aventail Connect --> MsiExec.exe /I{A2A78788-2792-49BF-AF22-5E9296E568F3}
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Beyond Compare Version 2.3.1 --> "C:\Program Files\Beyond Compare 2\unins000.exe"
biolsp patch --> MsiExec.exe /I{E6095BEA-8C97-4342-B771-13BB72AC1D88}
Broadcom TPM Driver Installer --> MsiExec.exe /X{35748B06-FCFC-4700-8285-DAD41689E4FE}
CardMan3x21 --> MsiExec.exe /X{EFB41827-DC61-4553-9326-F7871BF2EC5A}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDE for AIX Users --> C:\WINDOWS\uninst.exe -fC:\AIXUSERS\DeIsL2.isu
Communication Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3AB2F8DF-F905-44F9-8003-C81FEE95BC2B}\Setup.exe" -l0x9
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Connected DataProtector --> C:\Program Files\Connected\CBUninst.exe
Creative Media Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A99CB37-AEB0-492F-A85A-8A2536D22393}\setup.exe" -l0x9 /remove
Creative ZEN Stone User's Guide --> "C:\Program Files\Creative\Creative ZEN Stone\UGRemove.exe" /Product_Name:ZENStoneUG
Dell Embassy Trust Suite by Wave Systems --> C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Installer.exe
Deus Ex: Game of the Year Edition --> "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/6910
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Document Manager Lite --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{51AE9E42-640D-4C14-A9B6-43F64AA4E3E2} /l1033
EAX4 Unified Redist --> MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
EMBASSY Security Center --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEAFE1E5-076B-430A-96D9-B567792AFA88}
EMBASSY Trust Suite by Wave Systems --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1802FA6-54E9-4B24-BD2A-B50866819795}\setup.exe" -l0x9
ETS Launch Pad --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{DD41AC25-61B2-4FC9-90AA-672F32139AC3} /l1033
ETS Upgrade --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{72FECEA1-E87F-4192-89FA-D0FBF92885BB}
FairUse Wizard 2 --> "C:\Program Files\FairUse Wizard 2\UnInstall_14333.exe"
Football Manager 2008 --> "C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
Fraps --> "C:\Fraps\uninstall.exe"
GemAuthenticate Client v4.0.13 --> C:\Program Files\Gemplus\GAC\gpUnInstall.exe -next C:\PROGRA~1\Gemplus\GAC\UNWISE.EXE C:\PROGRA~1\Gemplus\GAC\INSTALL.LOG
Gemplus Smart Card Reader Tools --> C:\Program Files\Gemplus\ReaderTools\Installer\setup.exe /u
GemSafe Libraries 4.2.0 SP2 Patch 4202-829 User for NHS --> MsiExec.exe /X{A54453DD-9408-45B2-B179-9BBD83498249}
GT HSDPA driver installer --> MsiExec.exe /X{BB3B4056-4539-485E-A996-3B52480AA4B7}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{5544807E-896D-4585-84FF-60763E5BC022}\setup\hpzscr01.exe" -datfile hposcr06.dat
Huawei E620 PC Card --> C:\Program Files\Huawei E620 PC Card\Huawei E620 PC Card Uninstall.exe
Hummingbird Exceed 2007 --> MsiExec.exe /I{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}
IBAN-Calculator --> "C:\Program Files\IBAN-Calculator\UNINSTAL.EXE" "C:\Program Files\IBAN-Calculator\INSTALL.LOG" "IBAN-Calculator Uninstall"
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iPassConnect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6FFA58-F491-11D3-8951-000000031484}\setup.exe"
Java 2 Runtime Environment, SE v1.4.2_02 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142020}
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
MediaMonkey 2.5 --> "C:\Program Files\MediaMonkey\unins000.exe"
Memo Pad (remove only) --> C:\Program Files\Memo Pad\uninstall.exe
MetaFrame Presentation Server Client --> MsiExec.exe /I{D989BCC0-757C-4FB6-893C-512DF4382656}
Microsoft Office Communicator 2005 --> MsiExec.exe /X{BE5AD430-9E0C-4243-AB3F-593835869855}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{7279647E-8661-48DF-998E-E7DCC3E6955D}
Microsoft Office Live Meeting Add-in Pack --> MsiExec.exe /I{7CEF4888-F872-46D9-B2A1-0D8723525D40}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Standard 2003 --> MsiExec.exe /I{90530409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2003 (English) --> MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{972B1D9B-0EAD-49E8-B7D6-3B83FD5665B1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Nokia_PC_Suite_683_rel_14_1_eng.exe /LANG="2057"
Nokia PC Suite --> MsiExec.exe /I{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}
Nokia Software Updater --> MsiExec.exe /X{20BCD471-7897-481D-ACF2-CB9BABF6A6CF}
Novatel 700/800 driver --> C:\WINDOWS\Novatel_700_800_PCCardInstallerUninstall.exe
NTRU Hybrid TSS v2.0.25 --> MsiExec.exe /I{0BA2A0BA-7F4D-4B7B-AE94-5F0233AC8A5A}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Odyssey --> MsiExec.exe /I{80664F8A-117F-4F0C-B8C9-E0E7B112AA7D}
Option GT HSDPA driver suite --> C:\WINDOWS\OptionPluss_PCCardInstallerUninstall.exe
Option HSDPA GTMax 7.2 Express Card driver --> C:\WINDOWS\OptionHsdpaGTMax72ExpressInstallerUninstall.exe
Option PC Cards driver package --> C:\WINDOWS\OptionPCCardInstallerUninstall.exe
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
PC Connectivity Solution --> MsiExec.exe /I{066D65EA-ED53-44E4-A96A-F81B6E409D2E}
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Preboot Manager --> MsiExec.exe /I{EE2EE62C-E27D-486A-AF6D-FA4A06E67476}
Private Information Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{0B0A2153-58A6-4244-B458-25EDF5FCD809} /l1033
Pro Evolution Soccer 2008 --> C:\Program Files\InstallShield Installation Information\{2FDFD600-7338-4738-90D5-FC4ACA08DC36}\setup.exe -runfromtemp -l0x0409
QuickTime Alternative 1.81 --> "C:\Program Files\QuickTime Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Secure Update --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D1E829E9-88B8-47C6-A75E-0D40E2C09D50} /l1033
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Wizards --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EC84E3E6-C2D6-4DFB-81E0-448324C8FDF4} /l1033
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sony Ericsson GCXX (75/79/82/83/85/89) --> C:\WINDOWS\sem_GCXXUninstall.exe
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
UltraEdit-32 --> "C:\Program Files\IDM Computer Solutions\UltraEdit-32\Uninstall.exe" "C:\Program Files\IDM Computer Solutions\UltraEdit-32\ueinstall.log"
upekmsi --> MsiExec.exe /I{BE40EC9E-9466-4288-916D-C1D6C13F4A40}
Vodafone Text Centre --> C:\Program Files\VodafonetextcentreO\Uninstall.exe
Wave Infrastructure Installer --> MsiExec.exe /I{CDD4761A-3D3F-4487-9AAF-7855A36E0D31}
Wave Support Software --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{07D618CD-B016-438A-ADC9-A75BD23F85CE} /l1033
Windows Desktop Search --> "C:\WINDOWS\$NtUninstallKB911993-V2$\spuninst\spuninst.exe"
Windows Driver Package - Intel (NETw4x32) net (04/30/2007 11.1.1.11) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4x32_B8E7181C5675973E1CF9EA17CB3EB24902DDC2D9\netw4x32.inf
Windows Driver Package - Intel (NETw4x32) net (08/08/2007 11.1.1.22) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\DPInst32.EXE /u C:\WINDOWS\system32\DRVSTORE\netw4x32_919C79DF0034FFA603278F766D30F0461D896501\netw4x32.inf
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_039E7E24575DBAE6A389611AF28F4EB97729D33E\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_4EFFAAE27A08EDFDE145390033D8EF099DA65567\nokbtmdm.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Messenger 5.1 --> MsiExec.exe /I{8419C98D-6818-443B-9362-156519FE4C6B}
Windows Vista Upgrade Advisor --> MsiExec.exe /I{B79FBFDD-8B0C-4B8E-B70E-499E39978281}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinTidy 1.0.11 --> "C:\Program Files\WinTidy\unins000.exe"
WinZip --> "C:\PROGRA~1\WinZip\WINZIP32.EXE" /uninstall
Wireshark 0.99.4 --> "C:\Program Files\Wireshark\uninstall.exe"
WRQ Reflection for UNIX and OpenVMS 10.0 --> MsiExec.exe /I{807B1E67-FF69-4170-A835-E4B2C8A1D389}
Xvid 1.1.2 final uninstall --> "C:\Program Files\Xvid\unins000.exe"
-- Application Event Log
Event Record #/Type18477 / Error
Event Submitted/Written: 12/15/2007 09:13:51 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.
Event Record #/Type18476 / Warning
Event Submitted/Written: 12/15/2007 09:13:48 AM
Event ID/Source: 32066 / Microsoft Fax
Event Description:
At least one of the devices in the outgoing routing group is not valid.
Group name: '<All devices>'
Event Record #/Type18475 / Error
Event Submitted/Written: 12/15/2007 09:13:16 AM / 12/15/2007 09:13:19 AM
Event ID/Source: 1000 / UserInit
Event Description:
Could not execute the following script \\insmswhq01\SMSClient\i386\client.vbs. The network path was not found.
.
Event Record #/Type18473 / Error
Event Submitted/Written: 12/15/2007 09:12:33 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
Event Record #/Type18472 / Error
Event Submitted/Written: 12/15/2007 09:12:33 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event Record #/Type89443 / Error
Event Submitted/Written: 12/15/2007 00:57:53 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 239 minutes.
NtpClient has no source of accurate time.
Event Record #/Type89442 / Warning
Event Submitted/Written: 12/15/2007 00:57:53 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 240 minutes.
Event Record #/Type89440 / Warning
Event Submitted/Written: 12/15/2007 00:14:11 PM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns01.corp1.com. No authentication protocol was available.
Event Record #/Type89439 / Warning
Event Submitted/Written: 12/15/2007 00:14:11 PM
Event ID/Source: 8192 / LSASRV
Event Description:
The Security System detected an attempted downgrade attack for
server DNS/ns01.corp1.com. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Event Record #/Type89438 / Warning
Event Submitted/Written: 12/15/2007 11:14:00 AM
Event ID/Source: 8193 / LSASRV
Event Description:
The Security System could not establish a secured connection with the server DNS/ns01.corp1.com. No authentication protocol was available.
-- End of Deckard's System Scanner: finished at 2007-12-15 12:58:33
Any ideas? Thanks again for your help.0 -
Delete your version of VundoFix.exe and do the following
Please download VundoFix.exe to your desktop- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
- Select "Add More Files?" from the menu that comes up.
- This will open a new VundoFix window that says "Paste files into the boxes below:"
- In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\ddccb.dll - Now copy and paste the following file path in the second field:
C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll - Click the 'Add Files' button.
- Click the 'Close Window' button.
- Click the 'Remove Vundo' button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
.
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll
O2 - BHO: (no name) - {664961A4-2A2F-4875-B588-CBCDE602F227} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O20 - Winlogon Notify: tuvwxyy - C:\WINDOWS\SYSTEM32\tuvwxyy.dll
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll
C:\WINDOWS\system32\ddccb.dll
C:\Program Files\Common Files\hoker4444.dll
C:\Program Files\Common Files\hoker83122.dll - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
Finally
Go to Start > Control Panel > Add or Remove Programs > Remove
Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_04
Reboot and post back with a new DSS log0 -
OKActorSeeksJob wrote: »Delete your version of VundoFix.exe and do the following
Please download VundoFix.exe to your desktop- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
- Select "Add More Files?" from the menu that comes up.
- This will open a new VundoFix window that says "Paste files into the boxes below:"
- In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\ddccb.dll - Now copy and paste the following file path in the second field:
C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll - Click the 'Add Files' button.
- Click the 'Close Window' button.
- Click the 'Remove Vundo' button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
.
VundoFix V6.7.3
Checking Java version...
Java version is 1.4.2.2
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 16:04:23 15/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\system32\ddccb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dudamfvn.dll
C:\WINDOWS\system32\dudamfvn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tuvwxyy.dll
C:\WINDOWS\system32\tuvwxyy.dll Could not be deleted.
Performing Repairs to the registry.
Done!
----1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll
O2 - BHO: (no name) - {664961A4-2A2F-4875-B588-CBCDE602F227} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll
O4 - HKLM\..\Run: [a0cc9fee] rundll32.exe "C:\WINDOWS\system32\dudamfvn.dll",b
O20 - Winlogon Notify: tuvwxyy - C:\WINDOWS\SYSTEM32\tuvwxyy.dll
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
---Please download OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\tuvwxyy.dll
C:\WINDOWS\system32\dudamfvn.dll
C:\WINDOWS\system32\ddccb.dll
C:\Program Files\Common Files\hoker4444.dll
C:\Program Files\Common Files\hoker83122.dll - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
C:\WINDOWS\SYSTEM32\tuvwxyy.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\tuvwxyy.dll moved successfully.
File/Folder C:\WINDOWS\system32\dudamfvn.dll not found.
File/Folder C:\WINDOWS\system32\ddccb.dll not found.
DllUnregisterServer procedure not found in C:\Program Files\Common Files\hoker4444.dll
C:\Program Files\Common Files\hoker4444.dll NOT unregistered.
C:\Program Files\Common Files\hoker4444.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Common Files\hoker83122.dll
C:\Program Files\Common Files\hoker83122.dll NOT unregistered.
C:\Program Files\Common Files\hoker83122.dll moved successfully.
Created on 12/15/2007 17:25:40
----Finally
Go to Start > Control Panel > Add or Remove Programs > Remove
Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_040 -
Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-15 18:02:17
Computer is in Normal Mode.
-- HijackThis (run as SB013944.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:43, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\TEMP\NJ929B.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {3B964CA1-17F7-4AAA-B017-45779FE5D454} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 13430 bytes
-- Files created between 2007-11-15 and 2007-12-15
2007-12-15 16:59:23 10900 --ahs---- C:\WINDOWS\system32\onnmp.ini2
2007-12-15 16:59:00 334848 --a
C:\WINDOWS\system32\pmnno.dll
2007-12-15 09:21:53 80448 --a
C:\WINDOWS\system32\dwvktexs.dll
2007-12-15 09:14:52 74304 --a
C:\WINDOWS\system32\obhotiic.exe <Not Verified; ; DDC>
2007-12-15 03:07:15 0 dr-h
C:\Documents and Settings\sb013944\Recent
2007-12-14 23:51:35 0 d--h
C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d
C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d
C:\Program Files\SpywareBlaster
2007-12-14 08:05:15 385717 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-14 07:01:34 0 d
C:\!KillBox
2007-12-14 06:07:43 0 d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d
C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d
C:\VundoFix Backups
2007-12-13 23:16:58 0 d
C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d
C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\zfd1
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\yb2
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\qui4
2007-12-13 17:14:47 0 d
C:\WINDOWS\system32\ineWc01
2007-12-04 18:38:12 3596288 --a
C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a
C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a
C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a
C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a
C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a
C:\WINDOWS\system32\DivXWMPExtType.dll
-- Find3M Report
2007-12-15 17:25:40 0 d
C:\Program Files\Common Files
2007-12-15 14:37:52 141073 --a
C:\WINDOWS\system32\nvModes.dat
2007-12-15 11:19:19 0 d
C:\Program Files\WinTidy
2007-12-15 03:22:15 0 d
C:\Program Files\Java
2007-12-14 23:29:12 0 d
C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-14 14:23:27 0 d
C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d
C:\Program Files\Connected
2007-12-14 01:59:44 0 d
C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d
C:\Program Files\Steam
2007-12-14 01:53:44 0 d
C:\Program Files\Azureus
2007-12-13 21:58:38 0 d
C:\Program Files\SopCast
2007-12-10 23:08:32 0 d
C:\Program Files\DivX
2007-11-24 10:12:47 0 d
C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d
C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h
C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d
C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d
C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d
C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d
C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d
C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d
C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d
C:\Program Files\Belarc
2007-10-16 13:36:23 0 d
C:\Program Files\NHS
2007-10-16 13:24:16 0 d
C:\Program Files\Gemplus
2007-10-16 13:23:21 0 d
C:\Program Files\Omnikey
2007-10-05 06:41:48 1485 --a
C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{080C0C22-DDE6-4091-BF4A-DDE13BC03C36}]
C:\Program Files\Common Files\hoker83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16B23C23-1747-47E0-B901-E28A47D5B2B8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B964CA1-17F7-4AAA-B017-45779FE5D454}]
15/12/2007 16:59 334848 --a
C:\WINDOWS\system32\pmnno.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4904F9-B431-4715-AADD-08069C6D0641}]
C:\Program Files\Common Files\hoker4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1161889-54E1-400E-8CDE-ECEF9CD65BFA}]
C:\WINDOWS\system32\jkkll.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9A32877-5A82-4123-BE69-55D551403F88}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}]
C:\WINDOWS\system32\tuvwxyy.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 13:04]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [08/10/2001 05:14:20]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}"= C:\WINDOWS\system32\tuvwxyy.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\pmnno.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- \autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1
-- End of Deckard's System Scanner: finished at 2007-12-15 18:03:48
Hmmm, so there's some new .dlls created ? Use VundoFix on these too ?
Again, thanks for the help.0 -
Please download VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
- Select "Add More Files?" from the menu that comes up.
- This will open a new VundoFix window that says "Paste files into the boxes below:"
- In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\pmnno.dll - Click the 'Add Files' button.
- Click the 'Close Window' button.
- Click the 'Remove Vundo' button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
.
You need to do the following from DSS, and not HijackThis
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {3B964CA1-17F7-4AAA-B017-45779FE5D454} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Reboot and post a new DSS log0 -
Advertisement
-
ActorSeeksJob wrote: »Please download VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
- Select "Add More Files?" from the menu that comes up.
- This will open a new VundoFix window that says "Paste files into the boxes below:"
- In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\pmnno.dll - Click the 'Add Files' button.
- Click the 'Close Window' button.
- Click the 'Remove Vundo' button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will shutdown your computer, click OK.
- Turn your computer back on.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
.
Scan started at 18:46:24 15/12/2007
Listing files found while scanning....
C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini2
C:\windows\system32\pmnno.dll
Beginning removal...
Attempting to delete C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\onnmp.ini2
C:\windows\system32\onnmp.ini2 Has been deleted!
Attempting to delete C:\windows\system32\pmnno.dll
C:\windows\system32\pmnno.dll Has been deleted!
Performing Repairs to the registry.
Done!
The HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:12, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\IJ7777.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 13051 bytesYou need to do the following from DSS, and not HijackThis
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {3B964CA1-17F7-4AAA-B017-45779FE5D454} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Cheers0 -
Just use HijackThis then and do the following
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {080C0C22-DDE6-4091-BF4A-DDE13BC03C36} - C:\Program Files\Common Files\hoker83122.dll (file missing)
O2 - BHO: (no name) - {16B23C23-1747-47E0-B901-E28A47D5B2B8} - (no file)
O2 - BHO: (no name) - {5B4904F9-B431-4715-AADD-08069C6D0641} - C:\Program Files\Common Files\hoker4444.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E1161889-54E1-400E-8CDE-ECEF9CD65BFA} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {E9A32877-5A82-4123-BE69-55D551403F88} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\tuvwxyy.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Then reboot and run DSS again and post the log here0 -
OK, well i went ahead and used HijackThis.exe to remove the 02 entries, and it appears to have done the trick. Things are starting to look better. SpywareGuard no longer reports any rogue BHO installations.
I've since rebooted and here is the main.txt of the most recent DSS scan:
Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-15 20:32:34
Computer is in Normal Mode.
-- HijackThis (run as SB013944.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:43, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JHC018.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 12714 bytes
-- Files created between 2007-11-15 and 2007-12-15
2007-12-15 09:21:53 80448 --a
C:\WINDOWS\system32\dwvktexs.dll
2007-12-15 09:14:52 74304 --a
C:\WINDOWS\system32\obhotiic.exe <Not Verified; ; DDC>
2007-12-15 03:07:15 0 dr-h
C:\Documents and Settings\sb013944\Recent
2007-12-14 23:51:35 0 d--h
C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d
C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d
C:\Program Files\SpywareBlaster
2007-12-14 08:05:15 385717 --ahs---- C:\WINDOWS\system32\bccdd.ini2
2007-12-14 07:01:34 0 d
C:\!KillBox
2007-12-14 06:07:43 0 d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d
C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d
C:\VundoFix Backups
2007-12-13 23:16:58 0 d
C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d
C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\zfd1
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\yb2
2007-12-13 17:15:56 0 d
C:\WINDOWS\system32\qui4
2007-12-13 17:14:47 0 d
C:\WINDOWS\system32\ineWc01
2007-12-04 18:38:12 3596288 --a
C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a
C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a
C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a
C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a
C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a
C:\WINDOWS\system32\DivXWMPExtType.dll
-- Find3M Report
2007-12-15 20:29:51 0 d
C:\Program Files\WinTidy
2007-12-15 17:25:40 0 d
C:\Program Files\Common Files
2007-12-15 14:37:52 141073 --a
C:\WINDOWS\system32\nvModes.dat
2007-12-15 03:22:15 0 d
C:\Program Files\Java
2007-12-14 23:29:12 0 d
C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-14 14:23:27 0 d
C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d
C:\Program Files\Connected
2007-12-14 01:59:44 0 d
C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d
C:\Program Files\Steam
2007-12-14 01:53:44 0 d
C:\Program Files\Azureus
2007-12-13 21:58:38 0 d
C:\Program Files\SopCast
2007-12-10 23:08:32 0 d
C:\Program Files\DivX
2007-11-24 10:12:47 0 d
C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d
C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h
C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d
C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d
C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d
C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d
C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d
C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d
C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d
C:\Program Files\Belarc
2007-10-16 13:36:23 0 d
C:\Program Files\NHS
2007-10-16 13:24:16 0 d
C:\Program Files\Gemplus
2007-10-16 13:23:21 0 d
C:\Program Files\Omnikey
2007-10-05 06:41:48 1485 --a
C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [26/04/2004 13:04]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
WinTidy.lnk - C:\Program Files\WinTidy\WinTidy.exe [08/10/2001 05:14:20]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 wvauth C:\WINDOWS\system32\pmnno.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- \autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1
-- End of Deckard's System Scanner: finished at 2007-12-15 20:33:00
Are the .exe and files ive marked in red something we need to remove? The .exe specifically seems to change name after every reboot and its creation date is always more recent then its 'modified date'.0 -
Yep those are bad files. I was going to leave them till the end cause Vundo respawns itself until you unhook it
By the way are you being helped somewhere else?
Please download OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\dwvktexs.dll
C:\WINDOWS\system32\obhotiic.exe
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\qui4
C:\WINDOWS\system32\ineWc01 - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
Backup Your Registry with ERUNT- Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php - For version with the Installer:
Use the setup program to install ERUNT on your computer - For the zipped version:
Unzip all the files into a folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\ 00
Then double click on the fix.reg file, when it prompts to merge click "Yes".
Download and scan with SUPERAntiSpyware Free for Home Users- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
- Under "Configuration and Preferences", click the Preferences button.
- Click the Scanning Control tab.
- Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
- Click the "Close" button to leave the control center screen.
- Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left, make sure you check C:\Fixed Drive.
- On the right, under "Complete Scan", choose Perform Complete Scan.
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes".
- To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
- Click Close to exit the program.
Then send me a new DSS log and tell me how your PC is running now0 -
ActorSeeksJob wrote: »Yep those are bad files. I was going to leave them till the end cause Vundo respawns itself until you unhook it
By the way are you being helped somewhere else?Please download OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\dwvktexs.dll
C:\WINDOWS\system32\obhotiic.exe
C:\WINDOWS\system32\bccdd.ini2
C:\WINDOWS\system32\zfd1
C:\WINDOWS\system32\yb2
C:\WINDOWS\system32\qui4
C:\WINDOWS\system32\ineWc01 - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
C:\WINDOWS\system32\dwvktexs.dll NOT unregistered.
C:\WINDOWS\system32\dwvktexs.dll moved successfully.
C:\WINDOWS\system32\obhotiic.exe moved successfully.
C:\WINDOWS\system32\bccdd.ini2 moved successfully.
C:\WINDOWS\system32\zfd1 moved successfully.
C:\WINDOWS\system32\yb2 moved successfully.
C:\WINDOWS\system32\qui4 moved successfully.
C:\WINDOWS\system32\ineWc01 moved successfully.
Created on 12/17/2007 00:11:54Backup Your Registry with ERUNT- Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php - For version with the Installer:
Use the setup program to install ERUNT on your computer - For the zipped version:
Unzip all the files into a folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\ 00
Then double click on the fix.reg file, when it prompts to merge click "Yes".Download and scan with SUPERAntiSpyware Free for Home Users- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
- Under "Configuration and Preferences", click the Preferences button.
- Click the Scanning Control tab.
- Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
- Click the "Close" button to leave the control center screen.
- Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left, make sure you check C:\Fixed Drive.
- On the right, under "Complete Scan", choose Perform Complete Scan.
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes".
- To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
- Click Close to exit the program.
http://www.superantispyware.com
Generated 12/17/2007 at 02:34 AM
Application Version : 3.9.1008
Core Rules Database Version : 3362
Trace Rules Database Version: 1361
Scan type : Complete Scan
Total Scan Time : 02:03:02
Memory items scanned : 633
Memory threats detected : 0
Registry items scanned : 7046
Registry threats detected : 5
File items scanned : 94541
File threats detected : 15
Trojan.WinFixer
HKLM\Software\Classes\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}
HKCR\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}
HKCR\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}\InprocServer32
HKCR\CLSID\{664961A4-2A2F-4875-B588-CBCDE602F227}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCB.DLL
Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856}
Adware.Vundo-Variant
C:\!KILLBOX\JKKLL.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP6\A0000574.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP8\A0001105.DLL
Adware.Vundo-Variant/Small
C:\!KILLBOX\TUVWXYY.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\TUVWXYY.DLL
Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP6\A0000575.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\DWVKTEXS.DLL
Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5873F8CA-D905-46CF-A466-062612A69158}\RP8\A0001100.EXE
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\OBHOTIIC.EXE
Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP
Unclassified.Unknown Origin
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\COMMON FILES\HOKER4444.DLL
C:\_OTMOVEIT\MOVEDFILES\PROGRAM FILES\COMMON FILES\HOKER83122.DLL
Trojan.Downloader-Gen/BundleBase
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\INEWC01\INEWC011065.EXE
Trojan.Unknown Origin
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\QUI4\QOPRE83122.EXEThen send me a new DSS log and tell me how your PC is running now
Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-17 03:02:09
Computer is in Normal Mode.
-- HijackThis (run as SB013944.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:02:18, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\TEMP\NLD146.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 12775 bytes
-- Files created between 2007-11-17 and 2007-12-17
2007-12-17 02:54:30 0 dr-h
C:\Documents and Settings\sb013944\Recent
2007-12-17 00:28:44 0 d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-17 00:28:29 0 d
C:\Program Files\SUPERAntiSpyware
2007-12-17 00:28:29 0 d
C:\Documents and Settings\sb013944\Application Data\SUPERAntiSpyware.com
2007-12-17 00:27:51 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 23:51:35 0 d--h
C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d
C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d
C:\Program Files\SpywareBlaster
2007-12-14 07:01:34 0 d
C:\!KillBox
2007-12-14 06:07:43 0 d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d
C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d
C:\VundoFix Backups
2007-12-13 23:16:58 0 d
C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d
C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-04 18:38:12 3596288 --a
C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a
C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a
C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a
C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a
C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a
C:\WINDOWS\system32\DivXWMPExtType.dll
-- Find3M Report
2007-12-17 02:53:09 0 d
C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-17 00:27:51 0 d
C:\Program Files\Common Files
2007-12-15 20:29:51 0 d
C:\Program Files\WinTidy
2007-12-15 14:37:52 141073 --a
C:\WINDOWS\system32\nvModes.dat
2007-12-15 03:22:15 0 d
C:\Program Files\Java
2007-12-14 14:23:27 0 d
C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d
C:\Program Files\Connected
2007-12-14 01:59:44 0 d
C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d
C:\Program Files\Steam
2007-12-14 01:53:44 0 d
C:\Program Files\Azureus
2007-12-13 21:58:38 0 d
C:\Program Files\SopCast
2007-12-10 23:08:32 0 d
C:\Program Files\DivX
2007-11-24 10:12:47 0 d
C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d
C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h
C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d
C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d
C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d
C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d
C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d
C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d
C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d
C:\Program Files\Belarc
2007-10-05 06:41:48 1485 --a
C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [22/11/2007 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21/06/2007 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- \autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1
-- End of Deckard's System Scanner: finished at 2007-12-17 03:02:34
There's still that dodgy .exe running out of Windows temp. What is it? I think it changes filename after every reboot.
As regards the performance of the computer - well, not too bad! One of the more noticeable things in recent days was that that the Windows Desktop was taking an age to appear after every reboot. However it's pretty much instantaneous now since running Superantispyware. Also, programs like MS Word and Firefox are also starting up faster now. I'm guessing this virus was hogging some system resources / memory?0 -
Helloand also bleedingcomputer.com,
Yes Vundo trojan can really damage your PC speed. We are nearly done now.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only-
Double-click
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser-
Click
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser-
Click
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Reboot and post a new DSS log after that0 -
ActorSeeksJob wrote: »If you could please post in the topic you made over there and tell them you are getting help here so they can close it, just so you don't have somebody else helping you as well as it will waste their time, and like you said there are a lot of logs for them
Again, thanks a lot for your help. Everything is looking good so far.Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only-
Double-click
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser-
Click
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser-
Click
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.Reboot and post a new DSS log after that
Deckard's System Scanner v20071014.68
Run by SB013944 on 2007-12-17 10:52:16
Computer is in Normal Mode.
-- HijackThis (run as SB013944.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:19, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\WINDOWS\system32\gtdetectsc.exe
C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\WINDOWS\TEMP\VWE324.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\sb013944\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SB013944.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycorp1.corp1.com/mycorp1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://http://crmprdweb.corp1.com/mycorp1/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidEM?clid=1033&p1=6&p2=tour
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cerner GRID
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Trend OfficeScan ImageSetup] "m:\applications\trendimgupdate\imgsetup.exe" "/000d56749d27" -HideWindow
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [RegTool] C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Alice Automatic Updates Agent.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://http://crmprdweb.corp1.com/mycorp1/
O15 - Trusted Zone: *.capeweb
O15 - Trusted Zone: *.corp1
O15 - Trusted Zone: *.corp1.com
O15 - Trusted Zone: *.northamerica.corp1.net
O15 - Trusted Zone: *.firsthandfoundation
O15 - Trusted Zone: *.intellinet
O15 - Trusted Zone: *.krpro01
O15 - Trusted Zone: *.meetingplace
O15 - Trusted Zone: *.msprjcrtweb
O15 - Trusted Zone: *.msprjprdweb
O15 - Trusted Zone: *.mymeded
O15 - Trusted Zone: corp1.skillport.com
O15 - Trusted Zone: *.vccorp1.com
O15 - Trusted Zone: *.webwhqprd
O15 - Trusted Zone: *.wsswebcrtwhq01
O15 - Trusted Zone: *.wsswebcrtwhq02
O15 - Trusted Zone: *.wsswebwhq01
O15 - Trusted Zone: *.wsswebwhq02
O16 - DPF: {04897B74-BBBE-46E5-9550-5C487F39C2E4} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195851237843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195851209953
O16 - DPF: {85615D08-3D5B-4045-976D-231011156A6D} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_OutBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_Desktop_Integration.cab
O16 - DPF: {93A85BE8-6137-4E48-BBC8-E78E27035DB0} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19227/applets/SiebelAx_HI_Client.cab
O16 - DPF: {DB9581FB-C302-46DE-A0B6-24CF90C7BE44} (Siebel High Interactivity Framework) - http://navigator.corp1.com/callcenter/19230/applets/SiebelAx_HI_Client.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O17 - HKLM\Software\..\Telephony: DomainName = northamerica.corp1.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = northamerica.corp1.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: GtDetectSc Service (gtdetectsc) - OptionNV - C:\WINDOWS\system32\gtdetectsc.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
--
End of file - 12685 bytes
-- Files created between 2007-11-17 and 2007-12-17
2007-12-17 10:33:47 0 d
C:\WINDOWS\LastGood
2007-12-17 10:23:28 0 dr-h
C:\Documents and Settings\sb013944\Recent
2007-12-17 00:28:44 0 d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-17 00:28:29 0 d
C:\Program Files\SUPERAntiSpyware
2007-12-17 00:28:29 0 d
C:\Documents and Settings\sb013944\Application Data\SUPERAntiSpyware.com
2007-12-17 00:27:51 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2007-12-14 23:51:35 0 d--h
C:\WINDOWS\PIF
2007-12-14 15:21:36 0 d
C:\Program Files\SpywareGuard
2007-12-14 11:20:49 0 d
C:\Program Files\SpywareBlaster
2007-12-14 07:01:34 0 d
C:\!KillBox
2007-12-14 06:07:43 0 d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-14 05:03:04 0 d
C:\Program Files\CCleaner
2007-12-13 23:57:52 0 d
C:\VundoFix Backups
2007-12-13 23:16:58 0 d
C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-13 22:34:35 0 d
C:\Documents and Settings\sb013944\Application Data\HouseCall 6.6
2007-12-04 18:38:12 3596288 --a
C:\WINDOWS\system32\qt-dx331.dll
2007-12-04 18:36:22 196608 --a
C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-04 18:36:22 81920 --a
C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-04 18:36:14 802816 --a
C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 823296 --a
C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:36:14 682496 --a
C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 18:35:32 12288 --a
C:\WINDOWS\system32\DivXWMPExtType.dll
-- Find3M Report
2007-12-17 02:53:09 0 d
C:\Documents and Settings\sb013944\Application Data\Wave Systems Corp
2007-12-17 00:27:51 0 d
C:\Program Files\Common Files
2007-12-15 20:29:51 0 d
C:\Program Files\WinTidy
2007-12-15 14:37:52 141073 --a
C:\WINDOWS\system32\nvModes.dat
2007-12-15 03:22:15 0 d
C:\Program Files\Java
2007-12-14 14:23:27 0 d
C:\Program Files\Microsoft ActiveSync
2007-12-14 05:46:34 0 d
C:\Program Files\Connected
2007-12-14 01:59:44 0 d
C:\Program Files\Trend Micro
2007-12-14 01:57:35 0 d
C:\Program Files\Steam
2007-12-14 01:53:44 0 d
C:\Program Files\Azureus
2007-12-13 21:58:38 0 d
C:\Program Files\SopCast
2007-12-10 23:08:32 0 d
C:\Program Files\DivX
2007-11-24 10:12:47 0 d
C:\Documents and Settings\sb013944\Application Data\Azureus
2007-11-21 15:15:59 0 d
C:\Program Files\FairUse Wizard 2
2007-11-14 09:44:54 0 d--h
C:\Program Files\InstallShield Installation Information
2007-11-14 09:43:03 0 d
C:\Program Files\Wave Systems Corp
2007-11-14 09:34:02 0 d
C:\Program Files\NTRU Cryptosystems
2007-11-03 17:37:52 0 d
C:\Program Files\KONAMI
2007-10-23 15:21:07 0 d
C:\Documents and Settings\sb013944\Application Data\Sports Interactive
2007-10-23 15:12:23 0 d
C:\Program Files\Sports Interactive
2007-10-21 14:23:58 0 d
C:\Documents and Settings\sb013944\Application Data\Nokia Multimedia Player
2007-10-17 21:58:04 0 d
C:\Program Files\Belarc
2007-10-05 06:41:48 1485 --a
C:\Documents and Settings\sb013944\Application Data\NMM-MetaData.db
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 19:13]
"Trend OfficeScan ImageSetup"="m:\applications\trendimgupdate\imgsetup.exe" []
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [07/02/2006 21:16]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [19/01/2006 14:14]
"NVHotkey"="nvHotkey.dll" [19/01/2006 14:14 C:\WINDOWS\system32\nvhotkey.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [13/08/2004 06:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [07/01/2004 06:01]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [23/03/2007 12:20]
"RegTool"="C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe" [08/06/2005 14:48]
"gemstrmw"="C:\WINDOWS\system32\gemstrmw.exe" [15/09/2004 14:28]
"GACService"="C:\Program Files\Gemplus\GAC\GACService.exe" [21/06/2007 15:16]
"Document Manager"="C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [08/09/2006 08:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [12/05/2005 17:40]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" [22/11/2007 16:10]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21/06/2007 14:06]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe"
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\sb013944\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Alice Automatic Updates Agent.lnk - C:\Program Files\T-Mobile\Communication Center\AutoUpdateSrv.exe [06/04/2007 13:56:18]
Connected TaskBar Icon.LNK - C:\Program Files\Connected\CBSysTray.exe [21/09/2006 23:20:48]
EMBASSY Trust Suite Secure Update.lnk - C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [25/08/2006 09:45:30]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [02/05/2006 17:22:30]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [27/03/2006 03:44:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 18:11 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wxvault.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\insmswhq01\SMSClient\i386\client.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- \autorun.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]
"C:\Program Files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1
-- End of Deckard's System Scanner: finished at 2007-12-17 10:52:35
Again, there's an .exe still running out of Windows temp - is it even Vundo related? After the reboot, I attempted to use ATFCleaner only with Windows temp option selected but the message returned was "No Files Removed". The .exe is represented by a little brown dog icon if that's any help.0 -
Vundo is gone which is the main thing. Lets do a few more in depth scans. Could you take a screenshot of the temp file and post it here
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\WINDOWS\TEMP\VWE324.EXE
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Please download OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\TEMP\VWE324.EXE - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
* Click here to download AVG Anti Rootkit and save it to your desktop.- Double-click on the AVG_AntiRootkit_1.1.0.42.exe file to run it.
- Click "I Agree" to agree to the EULA.
- By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
- Click "Next" to begin the installation then click "Install".
- It will then ask you to reboot now to finish the installation.
- Click "Finish" and your computer will reboot.
- After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
- Click on the "Perform in-depth search" button to begin the scan.
- The scan will take a while so be patient and let it complete.
- When the scan is finished, click the "Save result to file" button.
- Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:-
Select
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.- Now click on the Save as Text button:
[*]Copy and paste that information in your next post.
Please download RUNSCANNER to your desktop and run it.- When the first page comes up select Beginner Mode
- On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
- At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
- On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
- Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file
Then upload that as an attachment in your next post.0 -
ActorSeeksJob wrote: »Vundo is gone which is the main thing. Lets do a few more in depth scans.Could you take a screenshot of the temp file and post it here
Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:
C:\WINDOWS\TEMP\VWE324.EXE
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Please download OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\TEMP\VWE324.EXE - Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Close OTMoveIt
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
Click "Exit" to close OTMoveIt.
* Click here to download AVG Anti Rootkit and save it to your desktop.- Double-click on the AVG_AntiRootkit_1.1.0.42.exe file to run it.
- Click "I Agree" to agree to the EULA.
- By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
- Click "Next" to begin the installation then click "Install".
- It will then ask you to reboot now to finish the installation.
- Click "Finish" and your computer will reboot.
- After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
- Click on the "Perform in-depth search" button to begin the scan.
- The scan will take a while so be patient and let it complete.
- When the scan is finished, click the "Save result to file" button.
- Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.
First of all, virustotal.com revealed nothing:
---
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - Prevx Database Unreachable
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 3d4a3262f183d37dcc975d933dd732fe
----
Attached are 2 screenshots. The first is prior to running OTmoveIT. And OTmoveIT was able to remove the .exe successfully:
---
C:\WINDOWS\TEMP\VWE324.EXE moved successfully.
Created on 12/17/2007 11:42:19
---
Now after the installation of AVG Anti Rootkit and then a Reboot, I took a quick glance at the temp folder (see 2nd screenshot) and could see the .exe there again!
So on a whim, I googled for 'exe file in windows temp brown dog icon', which through up same enlightening results. It seems this file is a legit one used by the Trend Realtime scanner as a way to look out for itself. So not malicious at all! Here's one quote I found..."The file is the OfficeScan Watchdog service on the anti-hacking mode. The
Watchdog service keeps an eye on the OfficeScan client services. The Watchdog
service also restarts the OfficeScan services when they are unexpectedly
terminated due to hacker or virus attack. The anti-hack mode allows the
Watchdog service to have random names to prevent viruses or other malicious
threats from identifying the service and terminating"
Additionally the AVG Anti Rootkit scan also revealed nothing. Nevertheless I shall go ahead and do the Kaspersky and Runscanner scans as well.0 -
That is some pretty good detective work
Pretty stupid move by Trend Micro...
You don't need to worry about our attempts at trying to remove it. That file will return itself each time to your temp file. Handy to know this for future reference.
You can leave the Kaspersky and Runscanner tasks. I thought the .exe file may be a rootkit hence why I wanted those scans. Your PC is clean now, so we just need to do clean up.
You can delete the tools that we used.
Go to Start > Control Panel > Add or Remove Programs > Remove
Java 2 Runtime Environment, SE v1.4.2_02
Java 2 Runtime Environment, SE v1.4.2_04
Now we need to create a new System Restore point.
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here
* SpywareGuard offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here
Thank you for your patience, and performing all of the procedures requested.0 -
Advertisement
-
Excellent.
I've deleted those tools, created the new restore point and performed the Cleanup task. All is looking great now. Computer is zipping along.
I assume one of the main reasons that I caught out with was because of the old version of Java ....hmmmm, learnt a lesson there - always Update Update Update !!
A huge thankyou to you, ASJ. Your knowledge is absolutely priceless (I learnt a thing or two myself as well) and boards.ie is a better place for it!
Merry Xmas0
Advertisement