Annoying popups

Hey

Sorry I didnt get back today, -- hadda go to work.

can you do up a new dss.exe please? & post the new log? (main.txt)

As for tapee.sys & catchme....

Check here:

C:\Qoobox

Should be a file called catchme 2008-01-24 9:53.zip or similar. (2008 -1-24 being date run. 9:53 (or close) being time run)
Grab that one for me please.

Thanks

 

Deckard's System Scanner v20071014.68
Run by reception on 2008-01-28 09:35:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as reception.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:35, on 2008-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\reception\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RECEPT~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7327 bytes

-- Files created between 2007-12-28 and 2008-01-28 -----------------------------

2008-01-23 13:51:38 0 d-------- C:\cmdcons
2008-01-16 18:03:05 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-01-15 14:37:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:35:46 0 dr-h----- C:\MSOCache
2008-01-15 14:01:36 0 d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01:27 0 d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50:02 0 d-------- C:\Program Files\Windows Mobile Device Handbook


-- Find3M Report ---------------------------------------------------------------

2008-01-23 14:03:00 0 d-------- C:\Program Files\Common Files
2008-01-15 14:40:18 0 d-------- C:\Program Files\Microsoft Works
2008-01-15 14:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 13:53:58 2528 --a------ C:\Documents and Settings\reception\Application Data\$_hpcst$.hpc
2008-01-15 13:51:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-03 18:02:10 0 d-------- C:\Program Files\America Online 9.0
2007-12-18 11:56:34 0 d-------- C:\Documents and Settings\reception\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2007-08-29 11:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




-- End of Deckard's System Scanner: finished at 2008-01-28 09:36:31 ------------

-------------------------------------------------------------------------
Okay Blender I found the Tapee.sys. I'm sorry but what did you want me to do with it again.

Thanks again

 

Hi,

Sorry for delay replying.
Had some internet, flood, busted water pipe issues --

Tapee.sys..
Please upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Also tell me where you found the file.

How are things running now? Any more popups?

Thanks

 

Hey B,

I uploaded the Tapee to Bleepingcomputet.com. My internet is running fine, and I am not getting anymore popups.

Thank again.

 

Hi,

Thanks for the file.

Let's get rid of the tools we used now. No point keeping them around because they change too often.

Click start> run> type this line and hit enter:

C:\windows\gmer_uninstall.cmd

You should see a dos box pop up and go through some commands.
Press enter when it says "press any key to continue "
Dos box closes...
That uninstalled Gmer.
Delete the gmer.exe you saved earlier.

Next:

Click start> run> type this line and hit enter:

combofix /u

Follow the prompts.
Combofix and whatever it isntalled along with DSS will be removed.

Autoruns you can keep or delete. Your choice.
Same with Hijackthis.

If you wanna remove Hijackthis -- simply uninstall it via add/remove programs.
If you want to remove Autoruns -- simply delete the zip you downloaded and the folder it created when you unzipped it.

Any other log files I asked you to create you can delete.

Empty recycle bin when done and reboot.

--------------------

Things still OK?

 

Hey B,

The computer is still running good. and I deleted everything that you told me to. THANK YOU.

 

Good to hear

last thing to do now is reset your system restore.

How to:

Right click "my computer "
Click "properties "
Click "system restore" tab
Checkmark "turn off system restore "
Hit apply> ok> ok.

Reboot

Go back and turn system restore back on by removing the check, hit apply, and OK.

A new restore point is created at this time.
You will not be able to restore computer to any earlier than today.

------------------

Also you should get newer versions of Acrobat Reader and make sure you have the latest QuickTime.

Uninstall them both first from add/remove programs then install the new versions.

Acrobat Reader you can get here:

http://www.adobe.com/products/acrobat/readstep2.html

if you dont want the added toolbars -- uncheck those options before installing Acrobat.

Quicktime you can get here:

http://www.apple.com/quicktime/download/

If you don't use "iTunes" then check the bottom choice.
And -- no you don't need to "sign up" for anything to get Quicktime

Keep well & stay safe!

Blender

 

Hey Blender, I did the system restore, and I am going to do all the updates. Just one thing yesterday I started getting those popups again. I just shut down my cpu for the day. So this morning when I got into work I updated and ran adaware and the popups are still coming but just not as much. I honestly don't know what else to do anymore. I dont go to any dirty sites or anything, and Im pretty sure that the sites that I am going to are not bad sites to. Should I just redo all the intructions from earlier.

 

Hey Pete,

hmmm..
Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

double click it and post the new log please. (main.txt)

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Thanks

 

Deckard's System Scanner v20071014.68
Run by Reception on 2008-02-07 11:04:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Reception.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04, on 2008-02-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\reception\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RECEPT~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {43B24522-B88A-4631-80B5-BC9330FB89DF} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {b621de4b-2e9b-fbab-86d4-ae34e4091cd9} - {9dc1904e-43ea-4d68-babf-b9e2b4ed126b} - C:\WINDOWS\system32\himcrumo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\hgghfdd.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [8991908C8D958E93] CED6D5D1D2DAD3.exe
O4 - HKLM\..\Run: [306c5d9b] rundll32.exe "C:\WINDOWS\system32\oxhbqgrr.dll ",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O20 - Winlogon Notify: hgghfdd - C:\WINDOWS\SYSTEM32\hgghfdd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8073 bytes

-- Files created between 2008-01-07 and 2008-02-07 -----------------------------

2008-02-07 10:07:40 0 d-------- C:\Program Files\QuickTime
2008-02-07 10:07:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 10:03:18 0 d-------- C:\Program Files\Apple Software Update
2008-02-07 10:03:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-07 09:57:56 87616 --a------ C:\WINDOWS\system32\oxhbqgrr.dll
2008-02-07 09:54:53 95808 --a------ C:\WINDOWS\system32\himcrumo.dll
2008-02-06 09:54:41 92224 --a------ C:\WINDOWS\system32\fcajpnde.dll
2008-02-06 09:49:58 0 d-------- C:\WINDOWS\system32\636B6A66676F68
2008-02-06 09:39:14 183975 ---hs---- C:\WINDOWS\system32\dfhkj.bak2
2008-02-06 09:39:14 92224 --a------ C:\WINDOWS\system32\bxepbdgt.dll
2008-02-05 17:46:44 6523 ---hs---- C:\WINDOWS\system32\dfhkj.bak1
2008-02-05 17:45:58 322656 --a------ C:\WINDOWS\system32\jkhfd.dll
2008-02-05 17:44:52 0 d-------- C:\Program Files\Drmupgds
2008-02-05 17:44:51 0 d-------- C:\Program Files\Temporary
2008-02-05 17:41:57 0 d-------- C:\Program Files\Outerinfo
2008-02-05 17:41:54 0 d-------- C:\Documents and Settings\reception\Application Data\?ymantec
2008-02-05 17:41:37 36864 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-02-05 17:41:17 36864 --a------ C:\WINDOWS\mrofinu572.exe
2008-02-05 17:41:16 0 d--hs---- C:\WINDOWS\YWRtaW4
2008-02-05 17:41:03 0 d-------- C:\WINDOWS\system32\lis6
2008-02-05 17:41:03 0 d-------- C:\WINDOWS\system32\hs9
2008-02-05 17:41:03 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-02-05 17:41:02 0 d-------- C:\WINDOWS\system32\tip4
2008-02-05 17:41:01 0 d-------- C:\WINDOWS\system32\??crosoft.NET
2008-02-05 17:40:57 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-02-05 17:40:49 40960 --a------ C:\WINDOWS\system32\hgghfdd.dll
2008-02-04 11:13:36 54272 --a------ C:\WINDOWS\b122.exe
2008-01-22 15:58:34 0 d-------- H:\Deckard
2008-01-16 18:03:05 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-01-15 16:52:24 140800 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2008-01-15 14:37:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:01:36 0 d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01:27 0 d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50:02 0 d-------- C:\Program Files\Windows Mobile Device Handbook
2008-01-14 12:13:58 367616 --a------ C:\WINDOWS\b149.exe


-- Find3M Report ---------------------------------------------------------------

2008-02-05 17:44:06 0 d-------- C:\Documents and Settings\reception\Application Data\?ymantec
2008-02-05 17:41:03 0 d-------- C:\Program Files\Common Files
2008-01-15 14:40:18 0 d-------- C:\Program Files\Microsoft Works
2008-01-15 14:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 13:53:58 2528 --a------ C:\Documents and Settings\reception\Application Data\$_hpcst$.hpc
2008-01-15 13:51:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-03 18:02:10 0 d-------- C:\Program Files\America Online 9.0
2007-12-18 11:56:34 0 d-------- C:\Documents and Settings\reception\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43B24522-B88A-4631-80B5-BC9330FB89DF}]
2008-02-05 17:45 322656 --a------ C:\WINDOWS\system32\jkhfd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9dc1904e-43ea-4d68-babf-b9e2b4ed126b}]
2008-02-07 09:54 95808 --a------ C:\WINDOWS\system32\himcrumo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E180F496-8A4B-44E2-9FE0-0364E345DB7F}]
2008-02-05 17:40 40960 --a------ C:\WINDOWS\system32\hgghfdd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13]
"8991908C8D958E93 "= "CED6D5D1D2DAD3.exe" []
"306c5d9b "= "C:\WINDOWS\system32\oxhbqgrr.dll" [2008-02-07 09:57]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"Drmupgds "= "C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-05 17:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E180F496-8A4B-44E2-9FE0-0364E345DB7F} "= C:\WINDOWS\system32\hgghfdd.dll [2008-02-05 17:40 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfdd]
hgghfdd.dll 2008-02-05 17:40 40960 C:\WINDOWS\SYSTEM32\hgghfdd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\\WINDOWS\\system32\\jkhfd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




-- End of Deckard's System Scanner: finished at 2008-02-07 11:05:37 ------------


Sorry that I took so long. MY cpu is running really really slow.

 

Hey,

Thanks for the log.

Sorry I took so long to get back -- I was disconnected from internet about 100 times between yesterday and today.

Follow instructions here for use of combofix please:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

No need for the recovery console bit since you installed that last week.

Post c:\combofix.txt when done please.

Then see if you can get a Hosts file installed on that machine ..
Be sure to read the info please in case you run into problems.

http://www.mvps.org/winhelp2002/hosts.htm

Download the hosts.zip> unzip it> double click the bat file and it will install Hosts for you.
If defender complains about hosts --- allow change.

This will block a ton of bad sites and should help stop this repetative insanity.
yes -- websites with ads will look different because alot of ads are blocked too.

If surfing slows down to a dead crawl --- read on that site how to set the DNS Service to Manual.

Let me know how machine is running.

Thanks

 

Hey Blender,

I unzipped that Host File, I ran combofix and when it was done it restarted It gave me a message saying that some thing about windows32. when I signed in I did not see the main.txt pop up. another thing for the last couple of days I've when I start my computer up right before I can sign in a message comes up saying Symantec AntiVirus Realtime Protection Failed to Load. Then when I do sign in it says that Symantec AntiVirus Realtime Protection is disabled.

 

Hi,

Combofix puts its log here:

c:\combofix.txt <-- this is the one I need.

If that one is not present -- post this log:

C:\qoobox\quarentined_files.txt

Also run dss.exe again and post the new "main.txt "

Please explain. If possible -- get the exact error please.
Did you get the Hosts file installed OK?

Thanks

 

ComboFix 08-02.05.3 - Reception 2008-02-08 15:26:14.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.240 [GMT -5:00]
Running from: C:\Documents and Settings\reception\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\system32\hgghfdd.dll
C:\WINDOWS\system32\jkhfd.dll
C:\check_LSA7.txt
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awmhdvwv.dll
C:\WINDOWS\system32\bxepbdgt.dll
C:\WINDOWS\system32\crosof~1.net\??crosoft.NET\
C:\WINDOWS\SYSTEM32\dfhkj.bak1
C:\WINDOWS\SYSTEM32\dfhkj.bak2
C:\WINDOWS\SYSTEM32\dfhkj.ini
C:\WINDOWS\system32\fcajpnde.dll
C:\WINDOWS\system32\hgghfdd.dll
C:\WINDOWS\system32\himcrumo.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\rrgqbhxo.ini
C:\WINDOWS\SYSTEM32\vwvdhmwa.ini
C:\WINDOWS\system32\xxxntouu.dll
.
---- Previous Run -------
.
C:\check_LSA7.txt
C:\Documents and Settings\reception\Application Data\YMANTE~1
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\reception\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\awmhdvwv.dll
C:\WINDOWS\system32\bxepbdgt.dll
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\crosof~1.net\??crosoft.NET\
C:\WINDOWS\SYSTEM32\dfhkj.bak1
C:\WINDOWS\SYSTEM32\dfhkj.bak2
C:\WINDOWS\SYSTEM32\dfhkj.ini
C:\WINDOWS\system32\fcajpnde.dll
C:\WINDOWS\system32\hgghfdd.dll
C:\WINDOWS\system32\himcrumo.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\rrgqbhxo.ini
C:\WINDOWS\SYSTEM32\vwvdhmwa.ini
C:\WINDOWS\system32\xxxntouu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR






((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 09:58 . 2008-02-08 09:58 <DIR> d-------- C:\Deckard
2008-02-07 10:07 . 2008-02-07 10:09 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 10:07 . 2008-02-07 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 10:03 . 2008-02-07 10:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 10:03 . 2008-02-07 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-06 09:57 . 2008-02-07 09:49 534 --ahs---- C:\WINDOWS\SYSTEM32\ldvnycyh.ini
2008-02-06 09:49 . 2008-02-06 09:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\636B6A66676F68
2008-02-06 09:42 . 2008-02-06 10:06 354 --ahs---- C:\WINDOWS\SYSTEM32\feqrddix.ini
2008-02-05 17:44 . 2008-02-05 17:44 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-05 17:41 . 2008-02-06 10:02 <DIR> d--hs---- C:\WINDOWS\YWRtaW4
2008-02-05 17:41 . 2008-02-05 17:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\tip4
2008-02-05 17:41 . 2008-02-06 09:50 <DIR> d-------- C:\WINDOWS\SYSTEM32\lis6
2008-02-05 17:41 . 2008-02-05 17:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\hs9
2008-02-05 17:41 . 2008-02-05 17:41 <DIR> d-------- C:\Temp\gTiis19
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\Temp\cXzz9
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-28 17:03 . 2008-02-08 13:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 17:03 . 2008-02-07 09:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-24 12:28 . 2008-01-24 12:28 250 --a------ C:\WINDOWS\gmer.ini
2008-01-23 13:51 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 14:37 . 2008-01-16 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:35 . 2008-01-15 14:35 <DIR> dr-h----- C:\MSOCache
2008-01-15 14:01 . 2008-01-15 14:01 <DIR> d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01 . 2008-01-15 14:01 <DIR> d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50 . 2008-01-15 13:50 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 19:40 --------- d-----w C:\Program Files\Microsoft Works
2008-01-15 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 18:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-03 23:02 --------- d-----w C:\Program Files\America Online 9.0
2007-12-18 16:56 --------- d-----w C:\Documents and Settings\reception\Application Data\AdobeUM
2005-07-29 21:24 472 --sha-r C:\WINDOWS\YWRtaW4\sqlQuqb.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"Drmupgds "= "C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-05 17:44 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28 185632]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"8991908C8D958E93 "= "CED6D5D1D2DAD3.exe" []
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-13 14:28 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 15:03:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-08 20:32:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-08 20:32:35 C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job "
- C:\WINDOWS\system32\MOBSYNC.EXEJ /Schedule=
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 15:30:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-08 15:36:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 20:36:23
.
2008-02-08 14:51:04 --- E O F ---

 

Deckard's System Scanner v20071014.68
Run by Reception on 2008-02-08 15:42:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Reception.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42, on 2008-02-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Drmupgds\Drmupgds.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\reception\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RECEPT~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mlsstratus.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [8991908C8D958E93] CED6D5D1D2DAD3.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\Software\..\Telephony: DomainName = dartcapital.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dartcapital.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dartcapital.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7528 bytes

-- Files created between 2008-01-08 and 2008-02-08 -----------------------------

2008-02-08 11:54:02 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-08 11:54:02 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-08 11:54:02 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-08 11:54:02 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-07 10:07:40 0 d-------- C:\Program Files\QuickTime
2008-02-07 10:07:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 10:03:18 0 d-------- C:\Program Files\Apple Software Update
2008-02-07 10:03:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-06 09:49:58 0 d-------- C:\WINDOWS\system32\636B6A66676F68
2008-02-05 17:44:52 0 d-------- C:\Program Files\Drmupgds
2008-02-05 17:41:16 0 d--hs---- C:\WINDOWS\YWRtaW4
2008-02-05 17:41:03 0 d-------- C:\WINDOWS\system32\lis6
2008-02-05 17:41:03 0 d-------- C:\WINDOWS\system32\hs9
2008-02-05 17:41:02 0 d-------- C:\WINDOWS\system32\tip4
2008-02-05 17:40:57 0 d-------- C:\WINDOWS\system32\nGpxx01
2008-01-22 15:58:34 0 d-------- H:\Deckard
2008-01-16 18:03:05 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-01-15 14:37:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:01:36 0 d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01:27 0 d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50:02 0 d-------- C:\Program Files\Windows Mobile Device Handbook


-- Find3M Report ---------------------------------------------------------------

2008-02-08 12:14:31 0 d-------- C:\Program Files\Common Files
2008-01-15 14:40:18 0 d-------- C:\Program Files\Microsoft Works
2008-01-15 14:01:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 13:53:58 2528 --a------ C:\Documents and Settings\reception\Application Data\$_hpcst$.hpc
2008-01-15 13:51:30 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-01-03 18:02:10 0 d-------- C:\Program Files\America Online 9.0
2007-12-18 11:56:34 0 d-------- C:\Documents and Settings\reception\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13]
"8991908C8D958E93 "= "CED6D5D1D2DAD3.exe" []
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"Drmupgds "= "C:\Program Files\Drmupgds\Drmupgds.exe" [2008-02-05 17:44]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\reception\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 14:36:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot




-- End of Deckard's System Scanner: finished at 2008-02-08 15:42:48 ------------




--------------------------------------------------------------------------------------
Hey B,
okay well that message isn't coming up anymore when I sign in But that other message is still coming up that says Symantec AntiVirus Realtime Protection Failed To Load. and then when I am signed in a message comes from the right hand side that says That Symantec AntiVirus is disabled. But I never disabled it.

 

Hey

next round:

Copy the following text to a new notepad file:

Code:

killall::
folder::
C:\WINDOWS\system32\636B6A66676F68
C:\Program Files\Drmupgds
C:\WINDOWS\YWRtaW4
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\hs9
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\nGpxx01

registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "8991908C8D958E93 "=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Drmupgds "=-

Save it as CFScript.txt to the desktop.

Disconnect from internet.
Shut down running programs including antivirus.
Drag CFScript.txt on top of combofix.exe.
Combofix will start -- follow the prompts.

Post the new C:\combofix.txt when done please.

--------------------------

Next --

Uninstall and re-install your Symantec antivirus.
Don't forget to update it.
Does it work proper after this?

--------------------------

Next:

Run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

If the log is too long -- copy/paste it to notepad, save log as .txt and attach it here.

----------------------

Next:

Your Acrobat reader is out of date & exploitable.
Uninstall your Old Acrobat reader and install the new version:

http://www.adobe.com/products/acrobat/readstep2.html

If you dont want the toolbar -- uncheck it before clicking "install "

--------------------------

Regarding your RealVNC...

Is it the most recent version?
Have you changed the log-in passwords lately? With good strong passwords?
For tips on creating good passwords -- here's a good article to read:

http://www.microsoft.com/protect/yourself/password/create.mspx

In your VNC program -- are there still old accounts listed there for the old log-ins?
The ones that are no longer in use should be removed.
New passwords should be created for those authorised to log in.

Referring back to this post:

http://www.windowsbbs.com/showpost.php?p=381720&postcount=9

All those users listed in your "extra.txt" ---
You indicated most of them are no longer in use.
Any chance they still have the ability to log in?

If you go to your control panel then open "user accounts" can you see those old accounts?
If not -- we'll hafta go another route to see them.

New passwords should be created for your account, the admin account and the "receptonist" account and for any other accounts still in use.

I'm not sure how to mess around with domain accounts and such -- I did ask someone else to have a look here. (noahdfear)
He may ask for more info or have you do additional things.

B

 

ComboFix 08-02.05.3 - Reception 2008-02-11 9:49:19.12 - NTFSx86

Running from: C:\Documents and Settings\reception\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\reception\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Drmupgds
C:\Program Files\Drmupgds\Drmupgds.exe
C:\WINDOWS\system32\636B6A66676F68
C:\WINDOWS\system32\636B6A66676F68\949C9B9798A099
C:\WINDOWS\system32\hs9
C:\WINDOWS\system32\hs9\corab2130.exe
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\tip4
C:\WINDOWS\YWRtaW4
C:\WINDOWS\YWRtaW4\sqlQuqb.vbs

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-08 11:53 . 2004-08-04 00:56 388,608 --a------ C:\kmd.exe
2008-02-08 09:58 . 2008-02-08 09:58 <DIR> d-------- C:\Deckard
2008-02-07 10:07 . 2008-02-07 10:09 <DIR> d-------- C:\Program Files\QuickTime
2008-02-07 10:07 . 2008-02-07 10:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-07 10:03 . 2008-02-07 10:03 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-07 10:03 . 2008-02-07 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-06 09:57 . 2008-02-07 09:49 534 --ahs---- C:\WINDOWS\SYSTEM32\ldvnycyh.ini
2008-02-06 09:42 . 2008-02-06 10:06 354 --ahs---- C:\WINDOWS\SYSTEM32\feqrddix.ini
2008-02-05 17:41 . 2008-02-05 17:41 <DIR> d-------- C:\Temp\gTiis19
2008-02-05 17:40 . 2008-02-05 17:40 <DIR> d-------- C:\Temp\cXzz9
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-28 17:03 . 2008-02-08 16:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 17:03 . 2008-02-07 09:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-24 12:28 . 2008-01-24 12:28 250 --a------ C:\WINDOWS\gmer.ini
2008-01-23 13:51 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-15 14:37 . 2008-01-16 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 14:35 . 2008-01-15 14:35 <DIR> dr-h----- C:\MSOCache
2008-01-15 14:01 . 2008-01-15 14:01 <DIR> d-------- C:\WINDOWS\WindowsMobile
2008-01-15 14:01 . 2008-01-15 14:01 <DIR> d-------- C:\Documents and Settings\reception\Application Data\InstallShield
2008-01-15 13:50 . 2008-01-15 13:50 <DIR> d-------- C:\Program Files\Windows Mobile Device Handbook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 14:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 19:40 --------- d-----w C:\Program Files\Microsoft Works
2008-01-15 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 18:51 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-03 23:02 --------- d-----w C:\Program Files\America Online 9.0
2007-12-18 16:56 --------- d-----w C:\Documents and Settings\reception\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]
"H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21 90112]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-13 14:28 185632]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 14:44 68856]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1137784261\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 07:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-13 14:28 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 15:03:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-11 14:56:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job "
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-11 14:56:31 C:\WINDOWS\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_dartcapital_reception.job "
- C:\WINDOWS\system32\MOBSYNC.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 09:54:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-11 9:59:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 14:59:09
ComboFix2.txt 2008-02-08 20:36:27
.
2008-02-08 14:51:04 --- E O F ---
--------------------------------------------------------------------------

Hey Blender
Okay here is the log for combofix. I have one quick question. If I uninstall Symantec Antivirus will I be able to reinstall it, because I dont have a disc for it. So will I be able to download this from the net?

 

Scanning Report
Monday, February 11, 2008 10:14:41 - 12:38:19
Computer name: DARTPROC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 520 malware found
DLoader.EGIN (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000120.EXE (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0000114.EXE (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan-Downloader.Win32.Adload.qy (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP16\A0001856.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.fjn (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0000112.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.haq (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001469.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.hcm (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000137.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.hcn (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000126.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.idv (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001467.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001468.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.PurityScan.fj (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000090.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.buy (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000084.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.cge (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP16\A0001858.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.chy (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000118.EXE (Renamed & Submitted)
Trojan.Win32.BHO.ab (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000119.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000088.DLL (Renamed & Submitted)
Trojan.Win32.Scapur.k (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001465.EXE (Renamed & Submitted)
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\MCLTCRYN.INI (Submitted)
Vundo.gen54 (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001472.DLL (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001473.DLL (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001474.DLL (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001475.DLL (Submitted)
W32/Adclicker.dam (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000091.DLL
W32/DLoader.FKJY.dropper (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0000117.EXE (Submitted)
W32/DLoader.FMKU (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP12\A0001470.EXE (Submitted)
W32/NetMon.C (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000092.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 44301
System: 4472
Not scanned: 5
Actions:
Disinfected: 1
Renamed: 14
Deleted: 0
None: 505
Submitted: 24
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{77E8123B-F713-40DE-A974-6022202326E2}.BIN
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\137747F71BE92F642BA5F49B9A14D0B4_7B71FBCE-DFF3-42C2-9259-D2367EB8DAA9

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2008-02-11
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2008-02-04
F-Secure Libra: 2.4.2, 2008-02-07
F-Secure Orion: 1.2.37, 2008-02-11
F-Secure Pegasus: 1.19.0, 2008-01-06
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXJPG SWF
Use Advanced heuristics

 

Vnc:

Pretty much all of those accounts are no longer in use, and non of the old people have access to log in exept for the computer guy. I really dont know much about updating what version, the password or anything like that because my boss always tells us not to bother it.

 

Hi,

If you don't have the disk for it -- likely not then. Unless your boss has the disk. Ask him?
If your boss is OK with it -- we can remove Symantec and install a different AV.

------------------------

The old user accounts that are no longer in use should be removed not only to free up space but they can present a security issue.
I dunno how secure your workplace is but if pretty much anyone can jump on the PC and do whatever they want --- not too secure is it?
If your login is the same password from forever ago and everyone knew it --- they still do.

To delete local accounts:
Open "user accounts" in the control panel.
From there you can pick users that are no longer there and delete each one.
Windows may ask to save user's documents to your desktop.
I don't know what documents and such they have --- so you will have to decide wether or not to let windows do this.

Same with VNC account logins -- if still using old passwords from forever ago when others could log in -- security is lost here cus they still might be able to.
Yes it is a pain in the neck to change passwords and such but with all the infections you been through -- sure does look like a good choice to me.

---------------------

Few more things to remove.

Find and delete the following:

C:\WINDOWS\SYSTEM32\ldvnycyh.ini
C:\WINDOWS\SYSTEM32\feqrddix.ini

C:\Temp\gTiis19 <-- folder
C:\Temp\cXzz9 <-- folder

Some are hidden.

How to show hidden files/folders:

http://www.bleepingcomputer.com/tutorials/tutorial62.html
don't forget to hide files/folders when we are finished cleaning.

----------------------
-----------------------

C:\qoobox\quarentine\C\Program Files\Drmupgds\Drmupgds.exe.vir

Can you upload that file here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Include the URL from this thread so I know where the file came from.

--------------------------

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept "

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save report button.
• Call it Kaspersky.txt
• Expand the arrow beside "file types" and save as .txt file.
  http://i266.photobucket.com/albums/ii277/sUBs_/Kas-Savetxt.gif
• Save the file to your desktop.
• Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

If log is too big -- please upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Include URL from this thread so I know who the log belongs to.

Thanks