There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
access audio avg avg 8 bios blue screen boot bsod computer connection cpu crash css dell desktop dma driver drivers dvd email error excel explorer firefox firefox 3 freeze gimp graphics hard drive hardware hijackthis hjt install internet internet explorer itunes keyboard laptop macro malware monitor motherboard network networking outlook outlook 2003 outlook 2007 outlook express pio problem problems router seo server slow sound sp3 spyware trojan usb video virtumonde virus vista vundo windows windows vista windows xp winxp wireless
General Security
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > General Security >
HJT log - Possible Virus 2


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
p51's Avatar
p51 p51 is offline
Senior Member with 937 posts.
  
Join Date: Mar 2002
Location: Columbus, OH
11-Apr-2008, 09:32 AM #1
HJT log - Possible Virus 2
Hi guys,

I am attaching the HJT log for a second pc I am struggling with. The Vundo virus was found and Trend Micro's housecall appeared to clean it. We are still haveing issues with sluggishness and popups out of the ordinary. I have run adaware and spybotsd. We run McAfee 8.5i here on XPsp2 OS that is up to date with Windows updates.

If someone has the time to scan through this log file and tell me if anything looks out of the ordinary and/or malicious, that would be great.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:03 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3055295A-CCDD-44B2-9F73-D8E8E626E5C1} - C:\WINDOWS\system32\ddcdaxv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {A0E1191E-538F-4CE4-AE09-284426951CE0} - C:\WINDOWS\System32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {E5C53BE6-20B0-4BD0-9780-A519BB15C0BA} - C:\WINDOWS\system32\mllml.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O20 - Winlogon Notify: ddcdaxv - ddcdaxv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6776 bytes


Thanks a lot,

Jay
__________________
Some days you're the dog.....some days you're the hydrant.
Cheeseball81's Avatar
Moderator with 71,506 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
11-Apr-2008, 04:18 PM #2
This one is much worse than the other.

Please download MsnCleaner.zip and Save it to your Desktop.
  • Unzip it to the Desktop.
  • Now reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit Enter.
  • Double-click MsnCleaner.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post along with a new HJT log.
__________________
Member of ASAP

Microsoft MVP/Windows - Consumer Security

If we've helped, please donate to TSG.
p51's Avatar
p51 p51 is offline
Senior Member with 937 posts.
  
Join Date: Mar 2002
Location: Columbus, OH
14-Apr-2008, 01:53 PM #3
Ok Cheeseball, below are the logs you requested. The msncleaner.txt is first and the new hjt text follows:

- Logfile MSNCleaner 1.6.2 by www.forospyware.com
- Created Logfile: 4/14/2008 on 1:34:51 PM
- Operative System: Windows XP
- Boot mode: Safe mode with network support
_________________________________________

Detected files: 3
Deleted file: 3
Undeleted Files: 0

C:\WINDOWS\cookies.ini <--- Deleted
C:\WINDOWS\live.messenger.com <--- Deleted
C:\WINDOWS\system32\mcrh.Tmp <--- Deleted

Host file Restored


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:58 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 2281 bytes


Thanks a ton.

Jay
__________________
Some days you're the dog.....some days you're the hydrant.
Cheeseball81's Avatar
Moderator with 71,506 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
14-Apr-2008, 06:20 PM #4
A lot of 04s are missing. Were any items turned off from Startup?
p51's Avatar
p51 p51 is offline
Senior Member with 937 posts.
  
Join Date: Mar 2002
Location: Columbus, OH
14-Apr-2008, 09:34 PM #5
nothing deliberately or intentionally. The only thing diferent between HJT logs is what ever msncleaner cleaned and deleted.
p51's Avatar
p51 p51 is offline
Senior Member with 937 posts.
  
Join Date: Mar 2002
Location: Columbus, OH
15-Apr-2008, 07:37 AM #6
Ok, this morning I rebooted the machine and re-ran HJT. The log is much larger now and has the 04's.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:48 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btmintranet/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [cc3a2b8f] rundll32.exe "C:\WINDOWS\system32\drtpmedy.dll",b
O4 - HKLM\..\Run: [BMcf091813] Rundll32.exe "C:\WINDOWS\system32\wsbpihfu.dll",s
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm429NUUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6697 bytes
__________________
Some days you're the dog.....some days you're the hydrant.
Cheeseball81's Avatar
Moderator with 71,506 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
15-Apr-2008, 09:11 PM #7
Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • ...
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Member of ASAP

Microsoft MVP/Windows - Consumer Security

If we've helped, please donate to TSG.
p51's Avatar
p51 p51 is offline
Senior Member with 937 posts.
  
Join Date: Mar 2002
Location: Columbus, OH
16-Apr-2008, 08:07 AM #8
Cheeseball, I ran Combofix and another HJT. Below are the log files. Thanks a lot for helping out on both of these computers. I really do appreciate it.

ComboFix 08-04-13.3 - SWagner 2008-04-16 7:33:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.308 [GMT -4:00]
Running from: C:\Documents and Settings\swagner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\#SharedObjects\TT9E6GBD\www.broadcaster.com
C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\#SharedObjects\TT9E6GBD\www.broadcaster.com\played_list.sol
C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\#SharedObjects\TT9E6GBD\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aenxeqvm.dll
C:\WINDOWS\system32\awagsime.ini
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\awttTLbb.dll
C:\WINDOWS\system32\bdbmafaa.dll
C:\WINDOWS\system32\cbXoPICt.dll
C:\WINDOWS\system32\dDsRhhEx.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drtpmedy.dll
C:\WINDOWS\system32\ecvdflvk.ini
C:\WINDOWS\system32\efCUmmll.dll
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\fccbARIa.dll
C:\WINDOWS\system32\fccbXpqP.dll
C:\WINDOWS\system32\fccdbXPh.dll
C:\WINDOWS\system32\geBqQHyA.dll
C:\WINDOWS\system32\geBsSIYP.dll
C:\WINDOWS\system32\geBtRklk.dll
C:\WINDOWS\system32\geBtSJCv.dll
C:\WINDOWS\system32\geBuRKee.dll
C:\WINDOWS\system32\gemyyfih.ini
C:\WINDOWS\system32\hgGvvSLf.dll
C:\WINDOWS\system32\iifcBrrq.dll
C:\WINDOWS\system32\iifdcaba.dll
C:\WINDOWS\system32\iifefcdc.dll
C:\WINDOWS\system32\ikgijirs.ini
C:\WINDOWS\system32\jkKBQghI.dll
C:\WINDOWS\system32\jkkhgfDw.dll
C:\WINDOWS\system32\jkklJbAT.dll
C:\WINDOWS\system32\khfefed.dll
C:\WINDOWS\system32\khfEuRlK.dll
C:\WINDOWS\system32\khfFXqOi.dll
C:\WINDOWS\system32\klkRtBeg.ini
C:\WINDOWS\system32\klkRtBeg.ini2
C:\WINDOWS\system32\lhdtlhwy.dll
C:\WINDOWS\system32\lijtypce.dll
C:\WINDOWS\system32\ljJAQGxw.dll
C:\WINDOWS\system32\ljJBspqq.dll
C:\WINDOWS\system32\ljJCsqPI.dll
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini2
C:\WINDOWS\system32\mlJAPHyX.dll
C:\WINDOWS\system32\mlJCsrQk.dll
C:\WINDOWS\system32\mlJDsRki.dll
C:\WINDOWS\system32\mljGYRlm.dll
C:\WINDOWS\system32\nmefrkkp.ini
C:\WINDOWS\system32\opnkiiFv.dll
C:\WINDOWS\system32\opnmKArR.dll
C:\WINDOWS\system32\opnOhIBU.dll
C:\WINDOWS\system32\opnooOgF.dll
C:\WINDOWS\system32\pmNGYRjJ.dll
C:\WINDOWS\system32\pmnkiIyx.dll
C:\WINDOWS\system32\pmnLcCtq.dll
C:\WINDOWS\system32\pmnmlljI.dll
C:\WINDOWS\system32\pmnmnNec.dll
C:\WINDOWS\system32\ptmxtybg.dll
C:\WINDOWS\system32\qoMdCsRi.dll
C:\WINDOWS\system32\qoMETmnl.dll
C:\WINDOWS\system32\rqRKDwwu.dll
C:\WINDOWS\system32\rqrpqqp.dll
C:\WINDOWS\system32\spwssetj.dll
C:\WINDOWS\system32\srijigki.dll
C:\WINDOWS\system32\ssQIyYsP.dll
C:\WINDOWS\system32\ssqNgHXr.dll
C:\WINDOWS\system32\ssqQjHaX.dll
C:\WINDOWS\system32\ukgpswlo.dll
C:\WINDOWS\system32\urqOETmm.dll
C:\WINDOWS\system32\urqQkkhh.dll
C:\WINDOWS\system32\uyduwxrx.ini
C:\WINDOWS\system32\vtUklKCs.dll
C:\WINDOWS\system32\vtULFuvw.dll
C:\WINDOWS\system32\vtUmKDSK.dll
C:\WINDOWS\system32\vtUNDssQ.dll
C:\WINDOWS\system32\vtUnmMff.dll
C:\WINDOWS\system32\waxcntql.ini
C:\WINDOWS\system32\wsbpihfu.dll
C:\WINDOWS\system32\wvUoLdcA.dll
C:\WINDOWS\system32\xgcsohic.dll
C:\WINDOWS\system32\xkvcgtmm.dll
C:\WINDOWS\system32\xxyaAtsR.dll
C:\WINDOWS\system32\xxyVpopQ.dll
C:\WINDOWS\system32\xxywWpqP.dll
C:\WINDOWS\system32\yayaBRlL.dll
C:\WINDOWS\system32\yayvvsp.dll
C:\WINDOWS\system32\yayvvsQJ.dll
C:\WINDOWS\system32\yaywxULf.dll
C:\WINDOWS\system32\yayyWqPI.dll
C:\WINDOWS\system32\ydemptrd.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-14 17:28 . 2008-04-14 17:28 3,648 --a------ C:\WINDOWS\system32\kcwnpxet.dll
2008-04-14 13:34 . 2008-04-14 13:34 <DIR> d-------- C:\MSNCleaner
2008-04-13 17:28 . 2008-04-13 17:28 3,648 --a------ C:\WINDOWS\system32\aqniqfvh.dll
2008-04-12 17:25 . 2008-04-12 17:25 3,648 --a------ C:\WINDOWS\system32\oobcncud.dll
2008-04-11 17:23 . 2008-04-11 17:23 3,648 --a------ C:\WINDOWS\system32\glcbyian.dll
2008-04-11 08:50 . 2008-04-11 08:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-11 08:02 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-10 14:34 . 2008-04-10 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-04-10 14:14 . 2008-04-10 14:14 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-10 13:28 . 2008-02-20 01:32 45,568 --------- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-04-10 08:22 . 2008-04-10 08:22 3,648 --a------ C:\WINDOWS\system32\ebdhptcb.dll
2008-04-09 13:50 . 2008-04-09 13:50 102 --a------ C:\WINDOWS\wininit.ini
2008-04-09 12:41 . 2008-04-09 12:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-09 12:41 . 2008-04-09 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 08:24 . 2008-04-09 08:24 1,600,529 --ahs---- C:\WINDOWS\system32\yegingqe.ini
2008-04-09 08:21 . 2008-04-09 08:21 3,648 --a------ C:\WINDOWS\system32\hstkxjxa.dll
2008-04-08 08:28 . 2008-04-09 08:25 1,634,705 --ahs---- C:\WINDOWS\system32\cnkiimui.ini
2008-04-08 08:22 . 2008-04-08 08:22 3,648 --a------ C:\WINDOWS\system32\kuvprrpg.dll
2008-04-07 08:19 . 2008-04-08 08:25 1,617,243 --ahs---- C:\WINDOWS\system32\wmsvgrew.ini
2008-04-07 08:17 . 2008-04-15 17:27 101,091 --a------ C:\WINDOWS\BMcf091813.xml
2008-04-07 07:06 . 2008-04-07 07:58 <DIR> d-------- C:\VundoFix Backups
2008-04-05 13:05 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-05 13:05 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-05 13:05 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-05 13:05 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-05 13:05 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-05 13:05 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-05 13:05 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-05 13:05 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-05 13:05 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-05 11:33 . 2008-04-05 11:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-05 11:33 . 2008-04-05 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 11:32 . 2008-04-05 11:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-05 09:04 . 2008-04-05 09:04 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-05 08:39 . 2008-04-07 08:13 1,638,716 --ahs---- C:\WINDOWS\system32\ihcevkdu.ini
2008-04-05 03:09 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-05 03:09 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-05 03:09 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-04 15:49 . 2006-12-26 09:07 536,576 --------- C:\WINDOWS\system32\dllcache\msado15.dll
2008-04-04 15:49 . 2006-12-19 14:16 333,824 --------- C:\WINDOWS\system32\dllcache\wiaservc.dll
2008-04-04 15:49 . 2006-12-26 09:07 200,704 --------- C:\WINDOWS\system32\dllcache\msadox.dll
2008-04-04 15:49 . 2006-12-26 09:07 180,224 --------- C:\WINDOWS\system32\dllcache\msadomd.dll
2008-04-04 15:49 . 2006-12-26 09:07 102,400 --------- C:\WINDOWS\system32\dllcache\msjro.dll
2008-04-04 15:47 . 2007-06-13 06:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2008-04-04 15:47 . 2006-12-14 09:45 981,760 --------- C:\WINDOWS\system32\dllcache\mfc42u.dll
2008-04-04 15:47 . 2006-11-01 15:17 927,504 --------- C:\WINDOWS\system32\dllcache\mfc40u.dll
2008-04-04 15:47 . 2007-04-23 06:32 364,160 --------- C:\WINDOWS\system32\dllcache\update.sys
2008-04-04 15:47 . 2007-02-05 16:17 185,344 --------- C:\WINDOWS\system32\dllcache\upnphost.dll
2008-04-04 15:47 . 2007-12-18 05:51 179,584 --------- C:\WINDOWS\system32\dllcache\mrxdav.sys
2008-04-04 15:47 . 2006-08-17 08:28 132,096 --------- C:\WINDOWS\system32\dllcache\wkssvc.dll
2008-04-04 15:45 . 2007-10-29 18:43 1,287,680 --------- C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-04 15:45 . 2006-10-19 09:56 713,216 --------- C:\WINDOWS\system32\dllcache\sxs.dll
2008-04-04 15:45 . 2007-08-21 02:15 683,520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-04-04 15:45 . 2006-11-27 10:54 539,136 --------- C:\WINDOWS\system32\dllcache\msftedit.dll
2008-04-04 15:45 . 2006-11-27 10:54 433,152 --------- C:\WINDOWS\system32\dllcache\riched20.dll
2008-04-04 15:45 . 2006-06-14 04:47 172,416 --------- C:\WINDOWS\system32\dllcache\kmixer.sys
2008-04-04 15:45 . 2006-06-14 05:00 82,944 --------- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-04-04 15:45 . 2006-06-14 04:47 6,400 --------- C:\WINDOWS\system32\dllcache\splitter.sys
2008-04-04 15:43 . 2007-02-09 07:10 574,464 --------- C:\WINDOWS\system32\dllcache\ntfs.sys
2008-04-04 15:41 . 2007-12-04 14:38 550,912 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2008-04-04 15:05 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-04 15:02 . 2008-04-04 15:02 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-04 15:02 . 2008-04-04 15:02 <DIR> d-------- C:\WINDOWS\peernet
2008-04-04 14:58 . 2008-04-04 14:58 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-04 14:48 . 2008-04-04 14:48 <DIR> d-------- C:\WINDOWS\EHome
2008-04-04 11:59 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-04-04 11:59 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-04-04 11:59 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-04-04 11:59 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-04-04 08:36 . 2008-04-05 08:37 1,302,982 --ahs---- C:\WINDOWS\system32\cffhssdh.ini
2008-04-03 11:16 . 2008-04-03 11:20 <DIR> d-------- C:\Documents and Settings\swagner\.housecall6.6
2008-04-03 07:52 . 2008-04-04 08:33 1,705,437 --ahs---- C:\WINDOWS\system32\nevdnxut.ini
2008-03-31 07:49 . 2008-03-31 20:00 1,312,020 --ahs---- C:\WINDOWS\system32\gllgrkor.ini
2008-03-28 17:19 . 2008-03-31 07:46 1,376,168 --ahs---- C:\WINDOWS\system32\upqmtrsp.ini
2008-03-27 17:23 . 2008-03-28 12:02 1,358,760 --ahs---- C:\WINDOWS\system32\pvbqvpra.ini
2008-03-26 17:18 . 2008-03-27 17:19 1,488,465 --ahs---- C:\WINDOWS\system32\uyqwpdpl.ini
2008-03-25 17:23 . 2008-03-26 12:36 1,504,948 --ahs---- C:\WINDOWS\system32\lethumxu.ini
2008-03-24 17:20 . 2008-03-25 17:21 1,581,258 --ahs---- C:\WINDOWS\system32\uaphdxmu.ini
2008-03-24 08:05 . 2008-03-23 17:22 1,543,159 --ahs---- C:\WINDOWS\system32\lnefgpol.ini
2008-03-23 17:21 . 2008-03-23 17:21 1,543,159 --ahs---- C:\WINDOWS\system32\lnefgpol.tmp
2008-03-21 14:54 . 2008-04-09 13:56 244 --ah----- C:\sqmnoopt19.sqm
2008-03-21 14:54 . 2008-04-09 13:56 232 --ah----- C:\sqmdata19.sqm
2008-03-21 14:33 . 2008-04-09 13:48 244 --ah----- C:\sqmnoopt18.sqm
2008-03-21 14:33 . 2008-04-09 13:48 232 --ah----- C:\sqmdata18.sqm
2008-03-21 14:21 . 2008-04-10 11:05 268 --ah----- C:\sqmdata17.sqm
2008-03-21 14:21 . 2008-04-10 11:05 244 --ah----- C:\sqmnoopt17.sqm
2008-03-21 14:11 . 2008-04-10 09:09 244 --ah----- C:\sqmnoopt16.sqm
2008-03-21 14:11 . 2008-04-10 09:09 232 --ah----- C:\sqmdata16.sqm
2008-03-21 14:03 . 2008-04-10 08:06 244 --ah----- C:\sqmnoopt15.sqm
2008-03-21 14:03 . 2008-04-10 08:06 232 --ah----- C:\sqmdata15.sqm
2008-03-21 12:04 . 2008-04-10 06:25 244 --ah----- C:\sqmnoopt14.sqm
2008-03-21 12:04 . 2008-04-10 06:25 232 --ah----- C:\sqmdata14.sqm
2008-03-21 11:54 . 2008-04-10 06:20 244 --ah----- C:\sqmnoopt13.sqm
2008-03-21 11:54 . 2008-04-10 06:20 232 --ah----- C:\sqmdata13.sqm
2008-03-21 11:29 . 2008-04-10 05:20 244 --ah----- C:\sqmnoopt12.sqm
2008-03-21 11:29 . 2008-04-10 05:20 232 --ah----- C:\sqmdata12.sqm
2008-03-21 11:19 . 2008-04-10 05:00 244 --ah----- C:\sqmnoopt11.sqm
2008-03-21 11:19 . 2008-04-10 05:00 232 --ah----- C:\sqmdata11.sqm
2008-03-21 11:07 . 2008-04-09 19:34 244 --ah----- C:\sqmnoopt10.sqm
2008-03-21 11:07 . 2008-04-09 19:34 232 --ah----- C:\sqmdata10.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 14:55 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-10 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 18:18 --------- d-----w C:\Program Files\Microsoft Office Communicator
2008-04-05 15:36 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-31 15:19 --------- d-----w C:\Program Files\Palm
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-14 12:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-01-23 22:35 95,064 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-01-23 22:35 95,064 ----a-w C:\WINDOWS\system32\cdm.dll
2008-01-23 22:35 556,376 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-01-23 22:35 325,464 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-01-23 22:35 204,120 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-01-23 22:35 1,743,704 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-01-23 22:35 1,743,704 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-01-23 22:34 53,592 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-01-23 22:34 53,592 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-01-23 22:34 44,888 ----a-w C:\WINDOWS\system32\wups2.dll
2008-01-23 22:34 36,184 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0E1191E-538F-4CE4-AE09-284426951CE0}]
C:\WINDOWS\System32\jkhfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}]
C:\WINDOWS\system32\mllml.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 03:51 3897040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 07:24 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 07:11 114688]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 12:57 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 09:34 69632]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 17:34 36864]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 15:01 525824]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-04 10:48 136512]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-08-13 21:50 111952]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSN Messenger"="live.messenger.com" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 03:51 3897040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2006-05-08 09:43:50 3325952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdaxv]
ddcdaxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUNDssQ]
vtUNDssQ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 07:40:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-16 7:44:56
ComboFix-quarantined-files.txt 2008-04-16 11:43:49

Pre-Run: 20,842,991,616 bytes free
Post-Run: 20,819,984,384 bytes free
.
2008-04-10 18:26:42 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:54 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btmintranet/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {A0E1191E-538F-4CE4-AE09-284426951CE0} - C:\WINDOWS\System32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {E5C53BE6-20B0-4BD0-9780-A519BB15C0BA} - C:\WINDOWS\system32\mllml.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm429NUUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O20 - Winlogon Notify: ddcdaxv - ddcdaxv.dll (file missing)
O20 - Winlogon Notify: vtUNDssQ - vtUNDssQ.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7339 bytes
__________________
Some days you're the dog.....some days you're the hydrant.
Cheeseball81's Avatar
Moderator with 71,506 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
16-Apr-2008, 05:34 PM #9
No problem...

Egads, this is a mess too.

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/supe....html?rid=3132


Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.
__________________
Member of ASAP

Microsoft MVP/Windows - Consumer Security

If we've helped, please donate to TSG.
p51's Avatar
p51 p51 is offline
Senior Member with 937 posts.
  
Join Date: Mar 2002
Location: Columbus, OH
17-Apr-2008, 10:47 AM #10
Ok, Cheese, here is the SuperAntiSpyware log (it found instances of the vundo trojan) and a new HJT. Again...thank you!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/17/2008 at 10:16 AM

Application Version : 4.0.1154

Core Rules Database Version : 3440
Trace Rules Database Version: 1432

Scan type : Complete Scan
Total Scan Time : 03:06:34

Memory items scanned : 436
Memory threats detected : 0
Registry items scanned : 4145
Registry threats detected : 10
File items scanned : 123045
File threats detected : 87

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}
HKCR\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}
HKCR\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}\InprocServer32
HKCR\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A0E1191E-538F-4CE4-AE09-284426951CE0}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}
HKCR\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}
HKCR\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}\InprocServer32
HKCR\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLLML.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}

Adware.Tracking Cookie
C:\Documents and Settings\swagner\Cookies\swagner@ad.us-ec.adtechus[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@realmedia[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@enhance[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@hornymatches[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@tradedoubler[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@tribalfusion[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@firstpremierbankcard.112.2o7[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@doubleclick[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@specificclick[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@atlas.entrepreneur[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@advertising[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@edge.ru4[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@atwola[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@ehg-organon.hitbox[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@newmedia.go211[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@findwhat[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@insightexpressai[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@secure.systemerrorfixer[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@systemerrorfixer[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@antispywaresuite[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@ads.vlaze[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@mediaplex[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@atdmt[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@revsci[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@silo.thefind[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@2o7[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@tagiq.clickforensics[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@ads.techguy[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@ad.yieldmanager[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@www.entrepreneur[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@ad.zanox[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@hitbox[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@tacoda[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@anad.tacoda[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@adnetserver[1].txt
C:\Documents and Settings\swagner\Cookies\swagner@statsgod[2].txt
C:\Documents and Settings\swagner\Cookies\swagner@ar.atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP192\A0012104.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP197\A0012340.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP198\A0013345.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP198\A0013346.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013815.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013816.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013817.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013818.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013819.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013820.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013821.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013822.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013825.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013826.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013827.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013829.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013830.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013831.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013833.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013834.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013835.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP208\A0014916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP208\A0014917.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP209\A0015994.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016052.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016055.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016075.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016092.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016098.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016102.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016112.DLL

Trojan.NewDotNet
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP199\A0013378.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP199\A0013379.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013783.DLL

Adware.Vundo-Variant/E
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013823.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013824.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013828.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013832.DLL

Trojan.Unclassified/MRT-Fake
C:\WINDOWS\SYSTEM32\AQNIQFVH.DLL
C:\WINDOWS\SYSTEM32\EBDHPTCB.DLL
C:\WINDOWS\SYSTEM32\GLCBYIAN.DLL
C:\WINDOWS\SYSTEM32\HSTKXJXA.DLL
C:\WINDOWS\SYSTEM32\KCWNPXET.DLL
C:\WINDOWS\SYSTEM32\KUVPRRPG.DLL
C:\WINDOWS\SYSTEM32\OOBCNCUD.DLL


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:57 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btmintranet/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm429NUUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcdaxv - ddcdaxv.dll (file missing)
O20 - Winlogon Notify: vtUNDssQ - vtUNDssQ.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7324 bytes
__________________
Some days you're the dog.....some days you're the hydrant.
Cheeseball81's Avatar
Moderator with 71,506 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
21-Apr-2008, 04:36 PM #11
I've been away for the past few days. Can I trouble you to rerun ComboFix and post the latest results?
Reply

« Previous Thread | General Security | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools