1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT log - Possible Virus 2

Discussion in 'General Security' started by p51, Apr 11, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. p51

    p51 Thread Starter

    Joined:
    Mar 21, 2002
    Messages:
    926
    Hi guys,

    I am attaching the HJT log for a second pc I am struggling with. The Vundo virus was found and Trend Micro's housecall appeared to clean it. We are still haveing issues with sluggishness and popups out of the ordinary. I have run adaware and spybotsd. We run McAfee 8.5i here on XPsp2 OS that is up to date with Windows updates.

    If someone has the time to scan through this log file and tell me if anything looks out of the ordinary and/or malicious, that would be great.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:51:03 AM, on 4/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3055295A-CCDD-44B2-9F73-D8E8E626E5C1} - C:\WINDOWS\system32\ddcdaxv.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: (no name) - {A0E1191E-538F-4CE4-AE09-284426951CE0} - C:\WINDOWS\System32\jkhfe.dll (file missing)
    O2 - BHO: (no name) - {E5C53BE6-20B0-4BD0-9780-A519BB15C0BA} - C:\WINDOWS\system32\mllml.dll (file missing)
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
    O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
    O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
    O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
    O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O20 - Winlogon Notify: ddcdaxv - ddcdaxv.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 6776 bytes


    Thanks a lot,

    Jay
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    This one is much worse than the other.

    Please download MsnCleaner.zip and Save it to your Desktop.
    • Unzip it to the Desktop.
    • Now reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit Enter.
    • Double-click MsnCleaner.exe to run it.
    • Click the Analyze button.
    • A report will be created once after you finish scan.
    • If it finds an infection, click the Deleted button.
    • Now, please reboot back to normal mode.
    • Please post the contents of C:\MsnCleaner.txt in a reply to this post along with a new HJT log.
     
  3. p51

    p51 Thread Starter

    Joined:
    Mar 21, 2002
    Messages:
    926
    Ok Cheeseball, below are the logs you requested. The msncleaner.txt is first and the new hjt text follows:

    - Logfile MSNCleaner 1.6.2 by www.forospyware.com
    - Created Logfile: 4/14/2008 on 1:34:51 PM
    - Operative System: Windows XP
    - Boot mode: Safe mode with network support
    _________________________________________

    Detected files: 3
    Deleted file: 3
    Undeleted Files: 0

    C:\WINDOWS\cookies.ini <--- Deleted
    C:\WINDOWS\live.messenger.com <--- Deleted
    C:\WINDOWS\system32\mcrh.Tmp <--- Deleted

    Host file Restored


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:44:58 PM, on 4/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 2281 bytes


    Thanks a ton.

    Jay
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    A lot of 04s are missing. Were any items turned off from Startup?
     
  5. p51

    p51 Thread Starter

    Joined:
    Mar 21, 2002
    Messages:
    926
    nothing deliberately or intentionally. The only thing diferent between HJT logs is what ever msncleaner cleaned and deleted.
     
  6. p51

    p51 Thread Starter

    Joined:
    Mar 21, 2002
    Messages:
    926
    Ok, this morning I rebooted the machine and re-ran HJT. The log is much larger now and has the 04's.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:28:48 AM, on 4/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btmintranet/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [cc3a2b8f] rundll32.exe "C:\WINDOWS\system32\drtpmedy.dll",b
    O4 - HKLM\..\Run: [BMcf091813] Rundll32.exe "C:\WINDOWS\system32\wsbpihfu.dll",s
    O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
    O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    O8 - Extra context menu item: &Search - ?p=ZRxdm429NUUS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
    O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 6697 bytes
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • ...
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  8. p51

    p51 Thread Starter

    Joined:
    Mar 21, 2002
    Messages:
    926
    Cheeseball, I ran Combofix and another HJT. Below are the log files. Thanks a lot for helping out on both of these computers. I really do appreciate it.

    ComboFix 08-04-13.3 - SWagner 2008-04-16 7:33:23.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.308 [GMT -4:00]
    Running from: C:\Documents and Settings\swagner\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\#SharedObjects\TT9E6GBD\www.broadcaster.com
    C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\#SharedObjects\TT9E6GBD\www.broadcaster.com\played_list.sol
    C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\#SharedObjects\TT9E6GBD\www.broadcaster.com\video_queue.sol
    C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\swagner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\aenxeqvm.dll
    C:\WINDOWS\system32\awagsime.ini
    C:\WINDOWS\system32\awtqnkhe.dll
    C:\WINDOWS\system32\awttTLbb.dll
    C:\WINDOWS\system32\bdbmafaa.dll
    C:\WINDOWS\system32\cbXoPICt.dll
    C:\WINDOWS\system32\dDsRhhEx.dll
    C:\WINDOWS\system32\drivers\fad.sys
    C:\WINDOWS\system32\drtpmedy.dll
    C:\WINDOWS\system32\ecvdflvk.ini
    C:\WINDOWS\system32\efCUmmll.dll
    C:\WINDOWS\system32\efhkj.ini
    C:\WINDOWS\system32\efhkj.ini2
    C:\WINDOWS\system32\fccbARIa.dll
    C:\WINDOWS\system32\fccbXpqP.dll
    C:\WINDOWS\system32\fccdbXPh.dll
    C:\WINDOWS\system32\geBqQHyA.dll
    C:\WINDOWS\system32\geBsSIYP.dll
    C:\WINDOWS\system32\geBtRklk.dll
    C:\WINDOWS\system32\geBtSJCv.dll
    C:\WINDOWS\system32\geBuRKee.dll
    C:\WINDOWS\system32\gemyyfih.ini
    C:\WINDOWS\system32\hgGvvSLf.dll
    C:\WINDOWS\system32\iifcBrrq.dll
    C:\WINDOWS\system32\iifdcaba.dll
    C:\WINDOWS\system32\iifefcdc.dll
    C:\WINDOWS\system32\ikgijirs.ini
    C:\WINDOWS\system32\jkKBQghI.dll
    C:\WINDOWS\system32\jkkhgfDw.dll
    C:\WINDOWS\system32\jkklJbAT.dll
    C:\WINDOWS\system32\khfefed.dll
    C:\WINDOWS\system32\khfEuRlK.dll
    C:\WINDOWS\system32\khfFXqOi.dll
    C:\WINDOWS\system32\klkRtBeg.ini
    C:\WINDOWS\system32\klkRtBeg.ini2
    C:\WINDOWS\system32\lhdtlhwy.dll
    C:\WINDOWS\system32\lijtypce.dll
    C:\WINDOWS\system32\ljJAQGxw.dll
    C:\WINDOWS\system32\ljJBspqq.dll
    C:\WINDOWS\system32\ljJCsqPI.dll
    C:\WINDOWS\system32\lmllm.ini
    C:\WINDOWS\system32\lmllm.ini2
    C:\WINDOWS\system32\mlJAPHyX.dll
    C:\WINDOWS\system32\mlJCsrQk.dll
    C:\WINDOWS\system32\mlJDsRki.dll
    C:\WINDOWS\system32\mljGYRlm.dll
    C:\WINDOWS\system32\nmefrkkp.ini
    C:\WINDOWS\system32\opnkiiFv.dll
    C:\WINDOWS\system32\opnmKArR.dll
    C:\WINDOWS\system32\opnOhIBU.dll
    C:\WINDOWS\system32\opnooOgF.dll
    C:\WINDOWS\system32\pmNGYRjJ.dll
    C:\WINDOWS\system32\pmnkiIyx.dll
    C:\WINDOWS\system32\pmnLcCtq.dll
    C:\WINDOWS\system32\pmnmlljI.dll
    C:\WINDOWS\system32\pmnmnNec.dll
    C:\WINDOWS\system32\ptmxtybg.dll
    C:\WINDOWS\system32\qoMdCsRi.dll
    C:\WINDOWS\system32\qoMETmnl.dll
    C:\WINDOWS\system32\rqRKDwwu.dll
    C:\WINDOWS\system32\rqrpqqp.dll
    C:\WINDOWS\system32\spwssetj.dll
    C:\WINDOWS\system32\srijigki.dll
    C:\WINDOWS\system32\ssQIyYsP.dll
    C:\WINDOWS\system32\ssqNgHXr.dll
    C:\WINDOWS\system32\ssqQjHaX.dll
    C:\WINDOWS\system32\ukgpswlo.dll
    C:\WINDOWS\system32\urqOETmm.dll
    C:\WINDOWS\system32\urqQkkhh.dll
    C:\WINDOWS\system32\uyduwxrx.ini
    C:\WINDOWS\system32\vtUklKCs.dll
    C:\WINDOWS\system32\vtULFuvw.dll
    C:\WINDOWS\system32\vtUmKDSK.dll
    C:\WINDOWS\system32\vtUNDssQ.dll
    C:\WINDOWS\system32\vtUnmMff.dll
    C:\WINDOWS\system32\waxcntql.ini
    C:\WINDOWS\system32\wsbpihfu.dll
    C:\WINDOWS\system32\wvUoLdcA.dll
    C:\WINDOWS\system32\xgcsohic.dll
    C:\WINDOWS\system32\xkvcgtmm.dll
    C:\WINDOWS\system32\xxyaAtsR.dll
    C:\WINDOWS\system32\xxyVpopQ.dll
    C:\WINDOWS\system32\xxywWpqP.dll
    C:\WINDOWS\system32\yayaBRlL.dll
    C:\WINDOWS\system32\yayvvsp.dll
    C:\WINDOWS\system32\yayvvsQJ.dll
    C:\WINDOWS\system32\yaywxULf.dll
    C:\WINDOWS\system32\yayyWqPI.dll
    C:\WINDOWS\system32\ydemptrd.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
    .

    2008-04-14 17:28 . 2008-04-14 17:28 3,648 --a------ C:\WINDOWS\system32\kcwnpxet.dll
    2008-04-14 13:34 . 2008-04-14 13:34 <DIR> d-------- C:\MSNCleaner
    2008-04-13 17:28 . 2008-04-13 17:28 3,648 --a------ C:\WINDOWS\system32\aqniqfvh.dll
    2008-04-12 17:25 . 2008-04-12 17:25 3,648 --a------ C:\WINDOWS\system32\oobcncud.dll
    2008-04-11 17:23 . 2008-04-11 17:23 3,648 --a------ C:\WINDOWS\system32\glcbyian.dll
    2008-04-11 08:50 . 2008-04-11 08:50 <DIR> d-------- C:\Program Files\Trend Micro
    2008-04-11 08:02 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-04-10 14:34 . 2008-04-10 15:41 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2008-04-10 14:14 . 2008-04-10 14:14 127 --a------ C:\WINDOWS\system32\MRT.INI
    2008-04-10 13:28 . 2008-02-20 01:32 45,568 --------- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
    2008-04-10 08:22 . 2008-04-10 08:22 3,648 --a------ C:\WINDOWS\system32\ebdhptcb.dll
    2008-04-09 13:50 . 2008-04-09 13:50 102 --a------ C:\WINDOWS\wininit.ini
    2008-04-09 12:41 . 2008-04-09 12:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-04-09 12:41 . 2008-04-09 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-09 08:24 . 2008-04-09 08:24 1,600,529 --ahs---- C:\WINDOWS\system32\yegingqe.ini
    2008-04-09 08:21 . 2008-04-09 08:21 3,648 --a------ C:\WINDOWS\system32\hstkxjxa.dll
    2008-04-08 08:28 . 2008-04-09 08:25 1,634,705 --ahs---- C:\WINDOWS\system32\cnkiimui.ini
    2008-04-08 08:22 . 2008-04-08 08:22 3,648 --a------ C:\WINDOWS\system32\kuvprrpg.dll
    2008-04-07 08:19 . 2008-04-08 08:25 1,617,243 --ahs---- C:\WINDOWS\system32\wmsvgrew.ini
    2008-04-07 08:17 . 2008-04-15 17:27 101,091 --a------ C:\WINDOWS\BMcf091813.xml
    2008-04-07 07:06 . 2008-04-07 07:58 <DIR> d-------- C:\VundoFix Backups
    2008-04-05 13:05 . 2008-03-01 09:06 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
    2008-04-05 13:05 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
    2008-04-05 13:05 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
    2008-04-05 13:05 . 2008-03-01 09:06 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
    2008-04-05 13:05 . 2008-03-01 09:06 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2008-04-05 13:05 . 2008-03-01 09:06 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
    2008-04-05 13:05 . 2008-03-01 09:06 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
    2008-04-05 13:05 . 2008-03-01 09:06 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2008-04-05 13:05 . 2008-02-22 06:00 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-04-05 11:33 . 2008-04-05 11:33 <DIR> d-------- C:\Program Files\Lavasoft
    2008-04-05 11:33 . 2008-04-05 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-04-05 11:32 . 2008-04-05 11:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-05 09:04 . 2008-04-05 09:04 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
    2008-04-05 08:39 . 2008-04-07 08:13 1,638,716 --ahs---- C:\WINDOWS\system32\ihcevkdu.ini
    2008-04-05 03:09 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
    2008-04-05 03:09 . 2006-08-21 05:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
    2008-04-05 03:09 . 2006-08-21 08:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
    2008-04-04 15:49 . 2006-12-26 09:07 536,576 --------- C:\WINDOWS\system32\dllcache\msado15.dll
    2008-04-04 15:49 . 2006-12-19 14:16 333,824 --------- C:\WINDOWS\system32\dllcache\wiaservc.dll
    2008-04-04 15:49 . 2006-12-26 09:07 200,704 --------- C:\WINDOWS\system32\dllcache\msadox.dll
    2008-04-04 15:49 . 2006-12-26 09:07 180,224 --------- C:\WINDOWS\system32\dllcache\msadomd.dll
    2008-04-04 15:49 . 2006-12-26 09:07 102,400 --------- C:\WINDOWS\system32\dllcache\msjro.dll
    2008-04-04 15:47 . 2007-06-13 06:23 1,033,216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
    2008-04-04 15:47 . 2006-12-14 09:45 981,760 --------- C:\WINDOWS\system32\dllcache\mfc42u.dll
    2008-04-04 15:47 . 2006-11-01 15:17 927,504 --------- C:\WINDOWS\system32\dllcache\mfc40u.dll
    2008-04-04 15:47 . 2007-04-23 06:32 364,160 --------- C:\WINDOWS\system32\dllcache\update.sys
    2008-04-04 15:47 . 2007-02-05 16:17 185,344 --------- C:\WINDOWS\system32\dllcache\upnphost.dll
    2008-04-04 15:47 . 2007-12-18 05:51 179,584 --------- C:\WINDOWS\system32\dllcache\mrxdav.sys
    2008-04-04 15:47 . 2006-08-17 08:28 132,096 --------- C:\WINDOWS\system32\dllcache\wkssvc.dll
    2008-04-04 15:45 . 2007-10-29 18:43 1,287,680 --------- C:\WINDOWS\system32\dllcache\quartz.dll
    2008-04-04 15:45 . 2006-10-19 09:56 713,216 --------- C:\WINDOWS\system32\dllcache\sxs.dll
    2008-04-04 15:45 . 2007-08-21 02:15 683,520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
    2008-04-04 15:45 . 2006-11-27 10:54 539,136 --------- C:\WINDOWS\system32\dllcache\msftedit.dll
    2008-04-04 15:45 . 2006-11-27 10:54 433,152 --------- C:\WINDOWS\system32\dllcache\riched20.dll
    2008-04-04 15:45 . 2006-06-14 04:47 172,416 --------- C:\WINDOWS\system32\dllcache\kmixer.sys
    2008-04-04 15:45 . 2006-06-14 05:00 82,944 --------- C:\WINDOWS\system32\dllcache\wdmaud.sys
    2008-04-04 15:45 . 2006-06-14 04:47 6,400 --------- C:\WINDOWS\system32\dllcache\splitter.sys
    2008-04-04 15:43 . 2007-02-09 07:10 574,464 --------- C:\WINDOWS\system32\dllcache\ntfs.sys
    2008-04-04 15:41 . 2007-12-04 14:38 550,912 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
    2008-04-04 15:05 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2008-04-04 15:02 . 2008-04-04 15:02 <DIR> d-------- C:\WINDOWS\provisioning
    2008-04-04 15:02 . 2008-04-04 15:02 <DIR> d-------- C:\WINDOWS\peernet
    2008-04-04 14:58 . 2008-04-04 14:58 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-04-04 14:48 . 2008-04-04 14:48 <DIR> d-------- C:\WINDOWS\EHome
    2008-04-04 11:59 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
    2008-04-04 11:59 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
    2008-04-04 11:59 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
    2008-04-04 11:59 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
    2008-04-04 08:36 . 2008-04-05 08:37 1,302,982 --ahs---- C:\WINDOWS\system32\cffhssdh.ini
    2008-04-03 11:16 . 2008-04-03 11:20 <DIR> d-------- C:\Documents and Settings\swagner\.housecall6.6
    2008-04-03 07:52 . 2008-04-04 08:33 1,705,437 --ahs---- C:\WINDOWS\system32\nevdnxut.ini
    2008-03-31 07:49 . 2008-03-31 20:00 1,312,020 --ahs---- C:\WINDOWS\system32\gllgrkor.ini
    2008-03-28 17:19 . 2008-03-31 07:46 1,376,168 --ahs---- C:\WINDOWS\system32\upqmtrsp.ini
    2008-03-27 17:23 . 2008-03-28 12:02 1,358,760 --ahs---- C:\WINDOWS\system32\pvbqvpra.ini
    2008-03-26 17:18 . 2008-03-27 17:19 1,488,465 --ahs---- C:\WINDOWS\system32\uyqwpdpl.ini
    2008-03-25 17:23 . 2008-03-26 12:36 1,504,948 --ahs---- C:\WINDOWS\system32\lethumxu.ini
    2008-03-24 17:20 . 2008-03-25 17:21 1,581,258 --ahs---- C:\WINDOWS\system32\uaphdxmu.ini
    2008-03-24 08:05 . 2008-03-23 17:22 1,543,159 --ahs---- C:\WINDOWS\system32\lnefgpol.ini
    2008-03-23 17:21 . 2008-03-23 17:21 1,543,159 --ahs---- C:\WINDOWS\system32\lnefgpol.tmp
    2008-03-21 14:54 . 2008-04-09 13:56 244 --ah----- C:\sqmnoopt19.sqm
    2008-03-21 14:54 . 2008-04-09 13:56 232 --ah----- C:\sqmdata19.sqm
    2008-03-21 14:33 . 2008-04-09 13:48 244 --ah----- C:\sqmnoopt18.sqm
    2008-03-21 14:33 . 2008-04-09 13:48 232 --ah----- C:\sqmdata18.sqm
    2008-03-21 14:21 . 2008-04-10 11:05 268 --ah----- C:\sqmdata17.sqm
    2008-03-21 14:21 . 2008-04-10 11:05 244 --ah----- C:\sqmnoopt17.sqm
    2008-03-21 14:11 . 2008-04-10 09:09 244 --ah----- C:\sqmnoopt16.sqm
    2008-03-21 14:11 . 2008-04-10 09:09 232 --ah----- C:\sqmdata16.sqm
    2008-03-21 14:03 . 2008-04-10 08:06 244 --ah----- C:\sqmnoopt15.sqm
    2008-03-21 14:03 . 2008-04-10 08:06 232 --ah----- C:\sqmdata15.sqm
    2008-03-21 12:04 . 2008-04-10 06:25 244 --ah----- C:\sqmnoopt14.sqm
    2008-03-21 12:04 . 2008-04-10 06:25 232 --ah----- C:\sqmdata14.sqm
    2008-03-21 11:54 . 2008-04-10 06:20 244 --ah----- C:\sqmnoopt13.sqm
    2008-03-21 11:54 . 2008-04-10 06:20 232 --ah----- C:\sqmdata13.sqm
    2008-03-21 11:29 . 2008-04-10 05:20 244 --ah----- C:\sqmnoopt12.sqm
    2008-03-21 11:29 . 2008-04-10 05:20 232 --ah----- C:\sqmdata12.sqm
    2008-03-21 11:19 . 2008-04-10 05:00 244 --ah----- C:\sqmnoopt11.sqm
    2008-03-21 11:19 . 2008-04-10 05:00 232 --ah----- C:\sqmdata11.sqm
    2008-03-21 11:07 . 2008-04-09 19:34 244 --ah----- C:\sqmnoopt10.sqm
    2008-03-21 11:07 . 2008-04-09 19:34 232 --ah----- C:\sqmdata10.sqm

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-10 14:55 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-04-10 14:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-07 18:18 --------- d-----w C:\Program Files\Microsoft Office Communicator
    2008-04-05 15:36 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-03-31 15:19 --------- d-----w C:\Program Files\Palm
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
    2008-03-14 12:55 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
    2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
    2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
    2008-01-23 22:35 95,064 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-01-23 22:35 95,064 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-01-23 22:35 556,376 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-01-23 22:35 325,464 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-01-23 22:35 204,120 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-01-23 22:35 1,743,704 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-01-23 22:35 1,743,704 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-01-23 22:34 53,592 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-01-23 22:34 53,592 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-01-23 22:34 44,888 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-01-23 22:34 36,184 ----a-w C:\WINDOWS\system32\wups.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A0E1191E-538F-4CE4-AE09-284426951CE0}]
    C:\WINDOWS\System32\jkhfe.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}]
    C:\WINDOWS\system32\mllml.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 03:51 3897040]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 07:24 155648]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 07:11 114688]
    "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 12:57 143360]
    "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 09:34 69632]
    "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 17:34 36864]
    "SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 15:01 525824]
    "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-04 10:48 136512]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-08-13 21:50 111952]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "MSN Messenger"="live.messenger.com" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 03:51 3897040]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    SnagIt 7.lnk - C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe [2006-05-08 09:43:50 3325952]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdaxv]
    ddcdaxv.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUNDssQ]
    vtUNDssQ.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009


    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-16 07:40:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 2008-04-16 7:44:56
    ComboFix-quarantined-files.txt 2008-04-16 11:43:49

    Pre-Run: 20,842,991,616 bytes free
    Post-Run: 20,819,984,384 bytes free
    .
    2008-04-10 18:26:42 --- E O F ---


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:56:54 AM, on 4/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btmintranet/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: (no name) - {A0E1191E-538F-4CE4-AE09-284426951CE0} - C:\WINDOWS\System32\jkhfe.dll (file missing)
    O2 - BHO: (no name) - {E5C53BE6-20B0-4BD0-9780-A519BB15C0BA} - C:\WINDOWS\system32\mllml.dll (file missing)
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
    O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    O8 - Extra context menu item: &Search - ?p=ZRxdm429NUUS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
    O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O20 - Winlogon Notify: ddcdaxv - ddcdaxv.dll (file missing)
    O20 - Winlogon Notify: vtUNDssQ - vtUNDssQ.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 7339 bytes
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    No problem...

    Egads, this is a mess too.

    Download the Trial version of Superantispyware Pro (SAS):
    http://www.superantispyware.com/superantispyware.html?rid=3132


    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new Hijack This log.
     
  10. p51

    p51 Thread Starter

    Joined:
    Mar 21, 2002
    Messages:
    926
    Ok, Cheese, here is the SuperAntiSpyware log (it found instances of the vundo trojan) and a new HJT. Again...thank you!

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/17/2008 at 10:16 AM

    Application Version : 4.0.1154

    Core Rules Database Version : 3440
    Trace Rules Database Version: 1432

    Scan type : Complete Scan
    Total Scan Time : 03:06:34

    Memory items scanned : 436
    Memory threats detected : 0
    Registry items scanned : 4145
    Registry threats detected : 10
    File items scanned : 123045
    File threats detected : 87

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}
    HKCR\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}
    HKCR\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}\InprocServer32
    HKCR\CLSID\{A0E1191E-538F-4CE4-AE09-284426951CE0}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\JKHFE.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A0E1191E-538F-4CE4-AE09-284426951CE0}

    Trojan.WinFixer
    HKLM\Software\Classes\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}
    HKCR\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}
    HKCR\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}\InprocServer32
    HKCR\CLSID\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\MLLML.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5C53BE6-20B0-4BD0-9780-A519BB15C0BA}

    Adware.Tracking Cookie
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected]orfixer[2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][1].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\swagner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

    Adware.Vundo-Variant/Small-A
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP192\A0012104.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP197\A0012340.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP198\A0013345.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP198\A0013346.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013815.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013816.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013817.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013818.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013819.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013820.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013821.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013822.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013825.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013826.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013827.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013829.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013830.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013831.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013833.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013834.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013835.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP208\A0014916.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP208\A0014917.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP209\A0015994.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016052.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016055.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016075.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016092.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016098.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016102.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP211\A0016112.DLL

    Trojan.NewDotNet
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP199\A0013378.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP199\A0013379.EXE

    Adware.Vundo-Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013783.DLL

    Adware.Vundo-Variant/E
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013823.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013824.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013828.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP205\A0013832.DLL

    Trojan.Unclassified/MRT-Fake
    C:\WINDOWS\SYSTEM32\AQNIQFVH.DLL
    C:\WINDOWS\SYSTEM32\EBDHPTCB.DLL
    C:\WINDOWS\SYSTEM32\GLCBYIAN.DLL
    C:\WINDOWS\SYSTEM32\HSTKXJXA.DLL
    C:\WINDOWS\SYSTEM32\KCWNPXET.DLL
    C:\WINDOWS\SYSTEM32\KUVPRRPG.DLL
    C:\WINDOWS\SYSTEM32\OOBCNCUD.DLL


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:33:57 AM, on 4/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office Communicator\Communicator.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://btmintranet/index.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
    O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
    O8 - Extra context menu item: &Search - ?p=ZRxdm429NUUS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} (OBXWebDocumentSelect Control) - http://btm-onbase/appnet/activex/OBXWebSelect.cab
    O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://btm-onbase/appnet/activex/OBXWebViewer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\Software\..\Telephony: DomainName = corp.boundtree.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2DD6D6-C55B-4A6B-A618-DE5FB9A8F8AF}: NameServer = 10.1.1.10,10.1.1.88
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.boundtree.com
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: ddcdaxv - ddcdaxv.dll (file missing)
    O20 - Winlogon Notify: vtUNDssQ - vtUNDssQ.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 7324 bytes
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    I've been away for the past few days. Can I trouble you to rerun ComboFix and post the latest results?
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/702656

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice