Is it safe to remove these - MBAM scan attached

Here's the latest combofix log.
Still got error about that dll when it started...I don't think it appeared after I rebooted. Again, I had to reboot, windows would not shut down. Also, while combofix was creating the logfile the etrust antivirus found 3 viruses....same as before.

Here is the combofix log:

ComboFix 08-09-05.04 - jhamilton2 2008-09-07 21:28:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT -4:00]
Running from: C:\Documents and Settings\jhamilton2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jhamilton2\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
c:\windows\system32\zordisa.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dcbdcatys32_080906a.dll
C:\WINDOWS\Install.txt
C:\WINDOWS\system\sgcxcxxaspf080906.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drivers\cbnjf.sys
C:\WINDOWS\system32\inf\sppdcrs080906.scr
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\zordisa.dll
c:\WINDOWS\system32\zordisa.dll.vir
C:\WINDOWS\tawisys.ini
C:\WINDOWS\Temp\dwbins.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_CBNJF
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_cbnjf
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 21:36 . 2008-09-07 21:36 126,976 --a------ C:\WINDOWS\system\sgcxcxxaspf080906.exe
2008-09-07 21:36 . 2008-09-07 21:36 14,848 --ah----- C:\WINDOWS\system32\zordisa.dll
2008-09-07 21:36 . 2008-09-07 21:36 169 --a------ C:\WINDOWS\tawisys.ini
2008-09-07 18:52 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-07 18:27 . 2008-09-07 18:57 <DIR> d-------- C:\Documents and Settings\jhamilton2\.housecall6.6
2008-09-07 14:48 . 2008-09-07 14:48 <DIR> d-------- C:\rsit
2008-09-07 14:33 . 2008-09-07 14:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 12:47 . 2008-09-07 21:36 <DIR> d-------- C:\WINDOWS\system32\inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 17:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 20:03 --------- d-----w C:\Program Files\MSECache
2008-07-28 19:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 14:35 --------- d-----w C:\Program Files\Audacity
2008-07-25 14:17 --------- d-----w C:\Program Files\CallCopy
2008-07-24 14:44 --------- d-----w C:\Program Files\Google
2008-07-20 12:47 --------- d-----w C:\Program Files\Modem Helper
2008-07-18 02:02 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 20:36 --------- d-----w C:\Program Files\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-17 20:36 --------- d-----w C:\Program Files\AIM6
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 20:21 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 20:20 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 20:15 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-17 20:15 --------- d-----w C:\Program Files\Cisco Systems
2008-07-17 20:02 --------- d-----w C:\Program Files\activePDF
2008-07-17 18:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-17 18:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-17 18:30 --------- d-----w C:\Program Files\CA
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Sonic
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Intel
2008-07-17 18:26 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Sonic
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Intel
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 18:24 --------- d-----w C:\Program Files\CyberLink
2008-07-17 18:21 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Sonic
2008-07-17 18:17 --------- d-----w C:\Program Files\Common Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-17 18:09 --------- d-----w C:\Program Files\Dell
2008-07-17 17:16 --------- d-----w C:\Program Files\Java
2008-07-17 17:15 --------- d-----w C:\Program Files\Dell Computer Corporation
2008-07-17 17:15 --------- d-----w C:\Program Files\Common Files\Java
2008-07-17 17:12 --------- d-----w C:\Program Files\SigmaTel
2008-07-17 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-17 17:04 --------- d-----w C:\Program Files\Intel
2008-07-17 17:02 --------- d-----w C:\Program Files\CONEXANT
2008-07-17 16:57 17,056 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Intel
2008-07-17 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 16:54 --------- d-----w C:\Program Files\Broadcom
2008-07-17 15:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2008-01-23 18:34 53592 1f83b758355a2d3ead3552218fb78506 C:\WINDOWS\system32\wuauclt.exe
2008-01-23 18:34 53592 01d64a90525e6f8e2ab55497e87fb535 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_17.39.54.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-02 18:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
+ 2008-09-08 01:35:01 29,764 ----a-w C:\WINDOWS\Temp\mfrj.exe
+ 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\Temp\mta39677.dll
+ 2008-09-08 01:36:29 126,976 ----a-w C:\WINDOWS\Temp\us.exe
+ 2008-09-08 01:35:02 42,564 ----a-w C:\WINDOWS\Temp\WowInitcode.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-03 606208]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Realtime Monitor "= "C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-07-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

R2 afisicx;afisicx Service;C:\WINDOWS\system32\afisicx.exe [2004-08-04 44544]
R2 mabidwe;mabidwe Service;C:\WINDOWS\system32\mabidwe.exe [2004-08-04 44544]
R2 noytcyr;noytcyr Service;C:\WINDOWS\system32\noytcyr.exe [2004-08-04 44544]
R2 roytctm;roytctm Service;C:\WINDOWS\system32\roytctm.exe [2004-08-04 44032]
R2 soxpeca;soxpeca Service;C:\WINDOWS\system32\soxpeca.exe [2004-08-04 44544]
R2 tdydowkc;tdydowkc Service;C:\WINDOWS\system32\tdydowkc.exe [2004-08-04 44544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wsldoekd;wsldoekd Service;C:\WINDOWS\system32\wsldoekd.exe [2004-08-04 44032]
S2 seiuctol;Security Control;c:\windows\system32\rundll32.exe zordisa.dll,scan [ ]

*Newly Created Service* - AFISICX
*Newly Created Service* - MABIDWE
*Newly Created Service* - NOYTCYR
*Newly Created Service* - ROYTCTM
*Newly Created Service* - SOXPECA
*Newly Created Service* - TDYDOWKC
*Newly Created Service* - WSLDOEKD
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 21:35:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\rtl60.bpl 676352 bytes executable
C:\WINDOWS\system32\comsa32.sys 10 bytes
C:\WINDOWS\system32\Install.txt 275 bytes
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tpszxyd.sys 266752 bytes executable
C:\WINDOWS\system32\wsldoekd.exe 44032 bytes executable
C:\WINDOWS\system32\afisicx.exe 44544 bytes executable
C:\WINDOWS\system32\zordisa.dll 14848 bytes executable
C:\WINDOWS\system32\udxfytw.sys 36864 bytes executable

scan completed successfully
hidden files: 9

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> c:\windows\system32\zordisa.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Temp\mfrj.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\Temp\dwbins.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
.
**************************************************************************
.
Completion time: 2008-09-07 21:39:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 01:39:47
ComboFix2.txt 2008-09-08 00:58:21
ComboFix3.txt 2008-09-07 21:41:23

Pre-Run: 22,805,291,008 bytes free
Post-Run: 22,812,745,728 bytes free

238 --- E O F --- 2008-08-17 01:58:46

 

Here is the latest HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44, on 2008-09-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\mfrj.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\TEMP\dwbins.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\udxfytw.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1216320355663
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\Software\..\Telephony: DomainName = teleperformanceca.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: wsldoekd - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 8006 bytes

I had to change the homepage because it was still showing as that other chinese site :-(

 

Hi
OK delete the CFScript you have on your desktop.


Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Now lets run this one in safe mode.

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

KillAll::
File::
C:\WINDOWS\system\sgcxcxxaspf080906.exe
C:\WINDOWS\system32\zordisa.dll
C:\WINDOWS\tawisys.ini
c:\windows\system32\rundll32.exe zordisa.dll
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe 
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\wsldoekd.exe 
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\TEMP\mfrj.exe
C:\WINDOWS\TEMP\dwbins.exe

Folder::
C:\WINDOWS\system32\inf

RootKit::
afisicx
mabidwe
noytcyr
roytctm
soxpeca
tdydowkc
wsldoekd
seiuctol 

Please post the CF log.

 

combofix ran in safe mode.
It rebooted from safemode without me having to power off.
When it booted back up the Etrust anti-virus still posted that it found 3 viruses :-(.
Here is the latest combofix log:

ComboFix 08-09-05.05 - jhamilton2 2008-09-07 22:45:35.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.373 [GMT -4:00]
Running from: C:\Documents and Settings\jhamilton2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jhamilton2\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dcbdcatys32_080906a.dll
C:\WINDOWS\Install.txt
C:\WINDOWS\system\sgcxcxxaspf080906.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\inf
C:\WINDOWS\system32\inf\sppdcrs080906.scr
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\zordisa.dll
C:\WINDOWS\tawisys.ini
C:\WINDOWS\TEMP\dwbins.exe
C:\WINDOWS\TEMP\mfrj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 18:52 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-07 18:27 . 2008-09-07 18:57 <DIR> d-------- C:\Documents and Settings\jhamilton2\.housecall6.6
2008-09-07 14:48 . 2008-09-07 14:48 <DIR> d-------- C:\rsit
2008-09-07 14:33 . 2008-09-07 14:33 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 17:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 20:03 --------- d-----w C:\Program Files\MSECache
2008-07-28 19:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 14:35 --------- d-----w C:\Program Files\Audacity
2008-07-25 14:17 --------- d-----w C:\Program Files\CallCopy
2008-07-24 14:44 --------- d-----w C:\Program Files\Google
2008-07-20 12:47 --------- d-----w C:\Program Files\Modem Helper
2008-07-18 02:02 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 20:36 --------- d-----w C:\Program Files\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-17 20:36 --------- d-----w C:\Program Files\AIM6
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 20:21 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 20:20 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 20:15 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-17 20:15 --------- d-----w C:\Program Files\Cisco Systems
2008-07-17 20:02 --------- d-----w C:\Program Files\activePDF
2008-07-17 18:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-17 18:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-17 18:30 --------- d-----w C:\Program Files\CA
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Sonic
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Intel
2008-07-17 18:26 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Sonic
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Intel
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 18:24 --------- d-----w C:\Program Files\CyberLink
2008-07-17 18:21 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Sonic
2008-07-17 18:17 --------- d-----w C:\Program Files\Common Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-17 18:09 --------- d-----w C:\Program Files\Dell
2008-07-17 17:16 --------- d-----w C:\Program Files\Java
2008-07-17 17:15 --------- d-----w C:\Program Files\Dell Computer Corporation
2008-07-17 17:15 --------- d-----w C:\Program Files\Common Files\Java
2008-07-17 17:12 --------- d-----w C:\Program Files\SigmaTel
2008-07-17 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-17 17:04 --------- d-----w C:\Program Files\Intel
2008-07-17 17:02 --------- d-----w C:\Program Files\CONEXANT
2008-07-17 16:57 17,056 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-17 16:57 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Intel
2008-07-17 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 16:54 --------- d-----w C:\Program Files\Broadcom
2008-07-17 15:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2008-01-23 18:34 53592 1f83b758355a2d3ead3552218fb78506 C:\WINDOWS\system32\wuauclt.exe
2008-01-23 18:34 53592 01d64a90525e6f8e2ab55497e87fb535 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_17.39.54.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-02 18:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-03 606208]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Realtime Monitor "= "C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-07-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

R2 afisicx;afisicx Service;C:\WINDOWS\system32\afisicx.exe [2004-08-04 44544]
R2 mabidwe;mabidwe Service;C:\WINDOWS\system32\mabidwe.exe [2004-08-04 44544]
R2 noytcyr;noytcyr Service;C:\WINDOWS\system32\noytcyr.exe [2004-08-04 44544]
R2 roytctm;roytctm Service;C:\WINDOWS\system32\roytctm.exe [2004-08-04 44032]
R2 soxpeca;soxpeca Service;C:\WINDOWS\system32\soxpeca.exe [2004-08-04 44544]
R2 tdydowkc;tdydowkc Service;C:\WINDOWS\system32\tdydowkc.exe [2004-08-04 44544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wsldoekd;wsldoekd Service;C:\WINDOWS\system32\wsldoekd.exe [2004-08-04 44032]
S2 seiuctol;Security Control;c:\windows\system32\rundll32.exe zordisa.dll,scan [ ]

*Newly Created Service* - AFISICX
*Newly Created Service* - MABIDWE
*Newly Created Service* - NOYTCYR
*Newly Created Service* - ROYTCTM
*Newly Created Service* - SOXPECA
*Newly Created Service* - TDYDOWKC
*Newly Created Service* - WSLDOEKD
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 22:49:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\tpszxyd.sys 266752 bytes executable
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\zordisa.dll 14848 bytes executable
C:\WINDOWS\system32\udxfytw.sys 36864 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> c:\windows\system32\zordisa.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Temp\mfrj.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\Temp\dwbins.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
.
**************************************************************************
.
Completion time: 2008-09-07 22:54:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 02:54:14
ComboFix2.txt 2008-09-08 01:40:01
ComboFix3.txt 2008-09-08 00:58:21
ComboFix4.txt 2008-09-07 21:41:23

Pre-Run: 23,335,567,360 bytes free
Post-Run: 22,801,473,536 bytes free

220 --- E O F --- 2008-08-17 01:58:46

 

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  
  C:\WINDOWS\system32\zordisa.dll 
  C:\WINDOWS\tawisys.ini 
  C:\WINDOWS\system32\afisicx.exe 
  C:\WINDOWS\system32\mabidwe.exe 
  C:\WINDOWS\system32\noytcyr.exe 
  C:\WINDOWS\system32\roytctm.exe 
  C:\WINDOWS\system32\tdydowkc.exe 
  C:\WINDOWS\system32\wsldoekd.exe 
  C:\WINDOWS\system32\udxfytw.sys 
  C:\WINDOWS\TEMP\mfrj.exe 
  C:\WINDOWS\TEMP\dwbins.exe
  C:\WINDOWS\system32\inf\svchoct.exe 

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move " window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please post the OTMoveIt2 log.

Thanks

 

Here it is:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\zordisa.dll
C:\WINDOWS\system32\zordisa.dll NOT unregistered.
C:\WINDOWS\system32\zordisa.dll moved successfully.
C:\WINDOWS\tawisys.ini moved successfully.
C:\WINDOWS\system32\afisicx.exe moved successfully.
C:\WINDOWS\system32\mabidwe.exe moved successfully.
C:\WINDOWS\system32\noytcyr.exe moved successfully.
C:\WINDOWS\system32\roytctm.exe moved successfully.
C:\WINDOWS\system32\tdydowkc.exe moved successfully.
C:\WINDOWS\system32\wsldoekd.exe moved successfully.
C:\WINDOWS\system32\udxfytw.sys moved successfully.
File/Folder C:\WINDOWS\TEMP\mfrj.exe C:\WINDOWS\TEMP\dwbins.exe not found.
C:\WINDOWS\system32\inf\svchoct.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09072008_232240

 

Hi
OK Dave gave some help here.

Please delete the CFScript you have on your Desktop. Please do this in the order Dave gave.

"Tell them to update MBAM first, disconnect from the internet (physically), run the script, then MBAM. Post back with the logs when done. A fresh rsit log would be good too "

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

KillAll::
File::
C:\WINDOWS\Temp\mfrj.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\Temp\dwbins.exe
Rootkit::
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\zordisa.dll
Driver::
afisicx
mabidwe
noytcyr
roytctm
seiuctol
soxpeca
tdydowkc
wsldoekd

Please post the logs.

Thanks
Geri

 

Here are the logs:

ComboFix 08-09-05.05 - jhamilton2 2008-09-07 23:50:55.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.294 [GMT -4:00]
Running from: C:\Documents and Settings\jhamilton2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jhamilton2\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dcbdcatys32_080906a.dll
C:\WINDOWS\Install.txt
C:\WINDOWS\system\sgcxcxxaspf080906.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\inf\sppdcrs080906.scr
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\udxfytw.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\zordisa.dll
C:\WINDOWS\Temp\mfrj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 23:22 . 2008-09-07 23:22 <DIR> d-------- C:\_OTMoveIt
2008-09-07 22:51 . 2008-09-07 23:51 <DIR> d-------- C:\WINDOWS\system32\inf
2008-09-07 18:52 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-07 18:27 . 2008-09-07 18:57 <DIR> d-------- C:\Documents and Settings\jhamilton2\.housecall6.6
2008-09-07 14:48 . 2008-09-07 14:48 <DIR> d-------- C:\rsit
2008-09-07 14:33 . 2008-09-07 14:33 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 17:05 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 12:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-02 04:16 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 15:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 20:03 --------- d-----w C:\Program Files\MSECache
2008-07-28 19:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 14:35 --------- d-----w C:\Program Files\Audacity
2008-07-25 14:17 --------- d-----w C:\Program Files\CallCopy
2008-07-24 14:44 --------- d-----w C:\Program Files\Google
2008-07-20 12:47 --------- d-----w C:\Program Files\Modem Helper
2008-07-18 02:02 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 20:36 --------- d-----w C:\Program Files\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-17 20:36 --------- d-----w C:\Program Files\AIM6
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 20:21 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 20:20 --------- d-----w C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 20:15 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-07-17 20:15 --------- d-----w C:\Program Files\Cisco Systems
2008-07-17 20:02 --------- d-----w C:\Program Files\activePDF
2008-07-17 18:38 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-17 18:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-17 18:30 --------- d-----w C:\Program Files\CA
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Sonic
2008-07-17 18:28 --------- d-----w C:\Documents and Settings\fferreira.TPCAN\Application Data\Intel
2008-07-17 18:26 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Sonic
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\fferreira\Application Data\Intel
2008-07-17 18:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 18:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 18:24 --------- d-----w C:\Program Files\CyberLink
2008-07-17 18:21 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Sonic
2008-07-17 18:17 --------- d-----w C:\Program Files\Common Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Sonic
2008-07-17 18:16 --------- d-----w C:\Program Files\Common Files\SureThing Shared
2008-07-17 18:09 --------- d-----w C:\Program Files\Dell
2008-07-17 17:16 --------- d-----w C:\Program Files\Java
2008-07-17 17:15 --------- d-----w C:\Program Files\Dell Computer Corporation
2008-07-17 17:15 --------- d-----w C:\Program Files\Common Files\Java
2008-07-17 17:12 --------- d-----w C:\Program Files\SigmaTel
2008-07-17 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-17 17:04 --------- d-----w C:\Program Files\Intel
2008-07-17 17:02 --------- d-----w C:\Program Files\CONEXANT
2008-07-17 16:57 17,056 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-17 16:57 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-07-17 16:57 --------- d-----w C:\Documents and Settings\tpadmin\Application Data\Intel
2008-07-17 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 16:54 --------- d-----w C:\Program Files\Broadcom
2008-07-17 15:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

------- Sigcheck -------

2008-01-23 18:34 53592 1f83b758355a2d3ead3552218fb78506 C:\WINDOWS\system32\wuauclt.exe
2008-01-23 18:34 53592 01d64a90525e6f8e2ab55497e87fb535 C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-07_17.39.54.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-02 18:22:56 385,536 ----a-w C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless "= "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [2005-02-03 606208]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"PDVDDXSrv "= "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Realtime Monitor "= "C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 407632]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-07-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 23:58:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\BAsfIpM.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-09-08 0:01:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 04:01:44
ComboFix2.txt 2008-09-08 02:54:28
ComboFix3.txt 2008-09-08 01:40:01
ComboFix4.txt 2008-09-08 00:58:21
ComboFix5.txt 2008-09-08 03:50:07

Pre-Run: 22,769,840,128 bytes free
Post-Run: 22,778,621,952 bytes free

193 --- E O F --- 2008-08-17 01:58:46


Here's the MBAM log:

Malwarebytes' Anti-Malware 1.26
Database version: 1127
Windows 5.1.2600 Service Pack 2

2008-09-08 00:07:36
mbam-log-2008-09-08 (00-07-36).txt

Scan type: Quick Scan
Objects scanned: 47142
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will post a fresh RSIT log in my next post

 

Logfile of random's system information tool (written by random/random)
Run by jhamilton2 at 2008-09-08 00:15:58
Microsoft Windows XP Professional Service Pack 2
System drive C: has 22 GB (76%) free of 29 GB
Total RAM: 503 MB (32% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:16, on 2008-09-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jhamilton2\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\jhamilton2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe "
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1216320355663
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\Software\..\Telephony: DomainName = teleperformanceca.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = teleperformanceca.com
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

End of file - 7061 bytes

Registry dump

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13 118842]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-07-24 2549368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [2008-08-13 734704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-07-24 2549368]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent "=C:\WINDOWS\system32\bthprops.cpl [2004-08-04 110592]
"IntelWireless "=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2004-10-30 385024]
"IgfxTray "=C:\WINDOWS\system32\igfxtray.exe [2004-11-02 155648]
"HotKeysCmds "=C:\WINDOWS\system32\hkcmd.exe [2004-11-02 126976]
"Dell QuickSet "=C:\Program Files\Dell\QuickSet\quickset.exe [2005-02-03 606208]
"dla "=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-13 122939]
"UpdateManager "=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2004-01-07 110592]
"PDVDDXSrv "=C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2006-10-20 118784]
"Realtime Monitor "=C:\Program Files\CA\eTrustITM\realmon.exe [2007-01-16 407632]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-24 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
VPN Client.lnk - C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-11-02 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [2004-09-07 110592]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe "= "C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe:*:Enabled:igateway "
"C:\Program Files\Common Files\AOL\Loader\aolload.exe "= "C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader "
"C:\Program Files\AIM6\aim6.exe "= "C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM "

List of files/folders created in the last three months

2008-09-08 00:15:30 ----SHD---- C:\RECYCLER
2008-09-08 00:01:55 ----A---- C:\ComboFix.txt
2008-09-07 23:22:40 ----D---- C:\_OTMoveIt
2008-09-07 22:51:48 ----D---- C:\WINDOWS\system32\inf
2008-09-07 20:10:43 ----D---- C:\WINDOWS\pss
2008-09-07 18:26:18 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Sun
2008-09-07 18:22:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-07 17:29:22 ----D---- C:\WINDOWS\erdnt
2008-09-07 17:28:51 ----D---- C:\QooBox
2008-09-07 17:28:40 ----A---- C:\WINDOWS\zip.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\VFind.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\swxcacls.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\swsc.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\swreg.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\sed.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\Nircmd.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\grep.exe
2008-09-07 17:28:40 ----A---- C:\WINDOWS\fdsv.exe
2008-09-07 14:48:49 ----D---- C:\rsit
2008-09-07 14:33:25 ----D---- C:\Program Files\Trend Micro
2008-08-16 21:58:42 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-08-16 21:58:28 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-08-16 21:57:32 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-08-16 21:56:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-08-16 21:56:05 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-08-16 21:54:27 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-08-16 21:53:30 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-08-05 11:30:52 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Malwarebytes
2008-08-05 11:30:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 11:30:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 09:34:19 ----D---- C:\WINDOWS\Minidump
2008-07-28 16:03:23 ----D---- C:\Program Files\MSECache
2008-07-28 15:53:25 ----D---- C:\Program Files\Common Files\Adobe
2008-07-28 15:53:25 ----D---- C:\Program Files\Adobe
2008-07-28 15:43:07 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Adobe
2008-07-28 15:26:37 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-07-27 01:38:29 ----D---- C:\WINDOWS\system32\LogFiles
2008-07-25 10:35:15 ----D---- C:\Program Files\Audacity
2008-07-25 10:17:28 ----D---- C:\Program Files\CallCopy
2008-07-24 10:44:58 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Google
2008-07-24 10:44:52 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-07-24 10:44:27 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-24 10:44:24 ----D---- C:\Program Files\Google
2008-07-17 22:48:34 ----HDC---- C:\WINDOWS\$NtUninstallKB925454$
2008-07-17 22:48:08 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-07-17 22:47:04 ----A---- C:\WINDOWS\system32\MRT.exe
2008-07-17 22:46:50 ----HDC---- C:\WINDOWS\$NtUninstallKB937894$
2008-07-17 22:46:40 ----HDC---- C:\WINDOWS\$NtUninstallKB931784$
2008-07-17 22:46:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-07-17 22:46:07 ----HDC---- C:\WINDOWS\$NtUninstallKB923689$
2008-07-17 22:45:36 ----HDC---- C:\WINDOWS\$NtUninstallKB910437$
2008-07-17 22:45:30 ----HDC---- C:\WINDOWS\$NtUninstallKB930178$
2008-07-17 22:45:24 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-07-17 22:44:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950759$
2008-07-17 22:44:33 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2008-07-17 22:44:27 ----HDC---- C:\WINDOWS\$NtUninstallKB943485$
2008-07-17 22:44:21 ----HDC---- C:\WINDOWS\$NtUninstallKB886185$
2008-07-17 22:44:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-07-17 22:43:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-07-17 22:43:38 ----HDC---- C:\WINDOWS\$NtUninstallKB944653$
2008-07-17 22:04:45 ----HDC---- C:\WINDOWS\$NtUninstallKB942763$
2008-07-17 22:04:12 ----HDC---- C:\WINDOWS\$NtUninstallKB930916$
2008-07-17 22:02:54 ----D---- C:\Documents and Settings\jhamilton2\Application Data\acccore
2008-07-17 18:31:39 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2008-07-17 16:51:47 ----N---- C:\WINDOWS\system32\tzchange.exe
2008-07-17 16:36:39 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-17 16:36:37 ----D---- C:\Program Files\Viewpoint
2008-07-17 16:36:37 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-17 16:36:26 ----D---- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-17 16:36:26 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 16:36:07 ----D---- C:\Program Files\Common Files\AOL
2008-07-17 16:35:43 ----D---- C:\Program Files\AIM6
2008-07-17 16:21:28 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Sonic
2008-07-17 16:21:04 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Identities
2008-07-17 16:20:50 ----D---- C:\Documents and Settings\jhamilton2\Application Data\Intel
2008-07-17 16:20:45 ----ASH---- C:\Documents and Settings\jhamilton2\Application Data\desktop.ini
2008-07-17 16:20:44 ----SD---- C:\Documents and Settings\jhamilton2\Application Data\Microsoft
2008-07-17 16:16:50 ----D---- C:\WINDOWS\Internet Logs
2008-07-17 16:15:58 ----A---- C:\WINDOWS\system32\dneinobj.dll
2008-07-17 16:15:30 ----D---- C:\Program Files\Common Files\Deterministic Networks
2008-07-17 16:15:27 ----D---- C:\Program Files\Cisco Systems
2008-07-17 16:13:53 ----D---- C:\vpnclient-win-msi-5.0.03.0530-k9
2008-07-17 16:02:46 ----A---- C:\WINDOWS\system32\Primomonnt.dll
2008-07-17 16:02:39 ----D---- C:\WINDOWS\PrimoPDF4
2008-07-17 16:02:39 ----D---- C:\Program Files\activePDF
2008-07-17 15:55:28 ----RSD---- C:\WINDOWS\assembly
2008-07-17 15:53:27 ----D---- C:\WINDOWS\Microsoft.NET
2008-07-17 15:05:45 ----A---- C:\WINDOWS\PrimoPDF Setup Log.txt
2008-07-17 15:05:04 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-07-17 14:56:56 ----D---- C:\WINDOWS\system32\PreInstall
2008-07-17 14:56:55 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-07-17 14:56:54 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-07-17 14:41:39 ----A---- C:\WINDOWS\ODBC.INI
2008-07-17 14:41:15 ----A---- C:\WINDOWS\system32\mdimon.dll
2008-07-17 14:38:15 ----D---- C:\Program Files\Microsoft.NET
2008-07-17 14:37:48 ----D---- C:\Program Files\Microsoft ActiveSync
2008-07-17 14:36:23 ----D---- C:\Program Files\Common Files\DESIGNER
2008-07-17 14:35:43 ----D---- C:\WINDOWS\SHELLNEW
2008-07-17 14:34:16 ----D---- C:\Program Files\Microsoft Office
2008-07-17 14:32:23 ----RHD---- C:\MSOCache
2008-07-17 14:30:10 ----D---- C:\Program Files\CA
2008-07-17 14:30:04 ----A---- C:\install_itm.bat
2008-07-17 14:26:29 ----D---- C:\WINDOWS\SchCache
2008-07-17 14:25:52 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-07-17 14:25:00 ----D---- C:\Documents and Settings\All Users\Application Data\Dell
2008-07-17 14:24:48 ----A---- C:\WINDOWS\system32\msxml4a.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\msvcr71.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\msvcp71.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\MFC71u.dll
2008-07-17 14:24:31 ----A---- C:\WINDOWS\system32\MFC71.dll
2008-07-17 14:24:30 ----D---- C:\Program Files\CyberLink
2008-07-17 14:24:30 ----A---- C:\WINDOWS\system32\atl71.dll
2008-07-17 14:17:22 ----D---- C:\Program Files\Common Files\Sonic
2008-07-17 14:16:37 ----D---- C:\Program Files\Common Files\SureThing Shared
2008-07-17 14:16:01 ----D---- C:\WINDOWS\system32\dla
2008-07-17 14:16:01 ----A---- C:\WINDOWS\wininit.ini
2008-07-17 14:16:01 ----A---- C:\WINDOWS\system32\tfswapi.dll
2008-07-17 14:16:01 ----A---- C:\WINDOWS\dla.exe
2008-07-17 14:16:00 ----D---- C:\Program Files\Sonic
2008-07-17 14:15:03 ----D---- C:\WINDOWS\Sun
2008-07-17 14:14:01 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-07-17 14:11:58 ----SHD---- C:\WINDOWS\CSC
2008-07-17 14:09:12 ----D---- C:\Program Files\Dell
2008-07-17 14:08:45 ----D---- C:\WINDOWS\Downloaded Installations
2008-07-17 13:16:24 ----D---- C:\Program Files\Modem Helper
2008-07-17 13:16:17 ----A---- C:\WINDOWS\system32\javaw.exe
2008-07-17 13:16:17 ----A---- C:\WINDOWS\system32\java.exe
2008-07-17 13:15:48 ----D---- C:\Program Files\Java
2008-07-17 13:15:46 ----D---- C:\Program Files\Dell Computer Corporation
2008-07-17 13:15:46 ----D---- C:\Program Files\Common Files\Java
2008-07-17 13:12:52 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-07-17 13:12:44 ----A---- C:\WINDOWS\system32\stac97co.dll
2008-07-17 13:12:43 ----D---- C:\Program Files\SigmaTel
2008-07-17 13:08:04 ----A---- C:\WINDOWS\system32\igfxres.dll
2008-07-17 13:03:24 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-07-17 13:02:28 ----D---- C:\Program Files\CONEXANT
2008-07-17 13:02:22 ----A---- C:\WINDOWS\system32\mdmxsdk.dll
2008-07-17 13:02:22 ----A---- C:\WINDOWS\system32\HSFCI010.dll
2008-07-17 12:57:08 ----A---- C:\WINDOWS\system32\results.txt
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\oemdspif.dll
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxzoom.exe
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxtray.exe
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxsrvc.dll
2008-07-17 12:56:58 ----A---- C:\WINDOWS\system32\igfxress.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxpph.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxhk.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxext.exe
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxexps.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxeud.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdo.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdiag.exe
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdgps.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxdev.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\igfxcfg.exe
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\ialmrnt5.dll
2008-07-17 12:56:57 ----A---- C:\WINDOWS\system32\ialmrem.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmgicd.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmgdev.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmdnt5.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmdev5.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\ialmdd5.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\iAlmCoIn_v3943.dll
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\hkcmd.exe
2008-07-17 12:56:56 ----A---- C:\WINDOWS\system32\hccutils.dll
2008-07-17 12:56:43 ----D---- C:\Documents and Settings\All Users\Application Data\Intel
2008-07-17 12:55:46 ----A---- C:\WINDOWS\system32\W29MLRES.DLL
2008-07-17 12:55:33 ----D---- C:\Program Files\Intel
2008-07-17 12:54:29 ----D---- C:\Program Files\Broadcom
2008-07-17 12:53:01 ----RA---- C:\WINDOWS\system32\hhactivex.dll
2008-07-17 12:53:01 ----A---- C:\WINDOWS\system32\RcdScan.dll
2008-07-17 12:52:58 ----A---- C:\WINDOWS\system32\VB5DB.DLL
2008-07-17 12:52:56 ----HD---- C:\Program Files\InstallShield Installation Information
2008-07-17 12:52:46 ----D---- C:\Program Files\Common Files\InstallShield
2008-07-17 12:45:55 ----HD---- C:\Program Files\Uninstall Information
2008-07-17 12:43:48 ----D---- C:\WINDOWS\SoftwareDistribution
2008-07-17 12:43:47 ----D---- C:\WINDOWS\Prefetch
2008-07-17 12:43:46 ----SD---- C:\WINDOWS\system32\Microsoft
2008-07-17 12:43:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-07-17 11:11:43 ----D---- C:\WINDOWS\system32\xircom
2008-07-17 11:11:43 ----D---- C:\Program Files\xerox
2008-07-17 11:11:43 ----D---- C:\Program Files\microsoft frontpage
2008-07-17 11:11:23 ----D---- C:\DELL
2008-07-17 11:11:07 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-07-17 11:11:05 ----HD---- C:\WINDOWS\$hf_mig$
2008-07-17 11:11:03 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2008-07-17 11:10:45 ----A---- C:\WINDOWS\control.ini
2008-07-17 11:10:45 ----A---- C:\AUTOEXEC.BAT
2008-07-17 11:10:24 ----A---- C:\WINDOWS\OEWABLog.txt
2008-07-17 11:10:19 ----A---- C:\WINDOWS\system32\mapi32.dll
2008-07-17 11:08:53 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-07-17 11:08:53 ----RD---- C:\WINDOWS\Offline Web Pages
2008-07-17 11:08:53 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-17 11:08:44 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2008-07-17 11:08:37 ----HD---- C:\Program Files\WindowsUpdate
2008-07-17 11:08:07 ----D---- C:\WINDOWS\system32\DirectX
2008-07-17 11:07:41 ----A---- C:\WINDOWS\system32\atrace.dll
2008-07-17 11:07:37 ----A---- C:\WINDOWS\system32\desktop.ini
2008-07-17 11:07:37 ----A---- C:\WINDOWS\desktop.ini
2008-07-17 11:07:29 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2008-07-17 11:07:27 ----A---- C:\WINDOWS\system32\acctres.dll
2008-07-17 11:07:26 ----D---- C:\Program Files\Common Files\Services
2008-07-17 11:07:23 ----SD---- C:\WINDOWS\Tasks
2008-07-17 11:07:23 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2008-07-17 11:07:22 ----D---- C:\Program Files\Common Files\MSSoap
2008-07-17 11:07:17 ----D---- C:\WINDOWS\srchasst
2008-07-17 11:07:16 ----D---- C:\WINDOWS\system32\Macromed
2008-07-17 11:07:12 ----A---- C:\WINDOWS\system32\wuweb.dll
2008-07-17 11:07:12 ----A---- C:\WINDOWS\system32\wucltui.dll
2008-07-17 11:07:12 ----A---- C:\WINDOWS\system32\wuauserv.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wups.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuaueng.dll
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2008-07-17 11:07:11 ----A---- C:\WINDOWS\system32\wuauclt.exe
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\wuapi.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\qmgr.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2008-07-17 11:07:10 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2008-07-17 11:07:05 ----D---- C:\Program Files\Movie Maker
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\safrslv.dll
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\safrdm.dll
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2008-07-17 11:07:00 ----A---- C:\WINDOWS\system32\racpldlg.dll
2008-07-17 11:06:56 ----A---- C:\WINDOWS\system32\fltMc.exe
2008-07-17 11:06:56 ----A---- C:\WINDOWS\system32\fltlib.dll
2008-07-17 11:06:55 ----D---- C:\WINDOWS\system32\Restore
2008-07-17 11:06:55 ----A---- C:\WINDOWS\system32\srsvc.dll
2008-07-17 11:06:55 ----A---- C:\WINDOWS\system32\srrstr.dll
2008-07-17 11:06:55 ----A---- C:\WINDOWS\system32\srclient.dll
2008-07-17 11:06:54 ----A---- C:\WINDOWS\system32\mnmdd.dll
2008-07-17 11:06:54 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2008-07-17 11:06:54 ----A---- C:\WINDOWS\system32\ils.dll
2008-07-17 11:06:53 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2008-07-17 11:06:53 ----A---- C:\WINDOWS\system32\msconf.dll
2008-07-17 11:06:53 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2008-07-17 11:06:50 ----D---- C:\Program Files\NetMeeting
2008-07-17 11:06:50 ----A---- C:\WINDOWS\system32\msoert2.dll
2008-07-17 11:06:49 ----A---- C:\WINDOWS\system32\msoeacct.dll
2008-07-17 11:06:48 ----A---- C:\WINDOWS\system32\inetres.dll
2008-07-17 11:06:48 ----A---- C:\WINDOWS\system32\inetcomm.dll
2008-07-17 11:06:45 ----D---- C:\Program Files\Outlook Express
2008-07-17 11:06:45 ----A---- C:\WINDOWS\system32\schedsvc.dll
2008-07-17 11:06:45 ----A---- C:\WINDOWS\system32\mstinit.exe
2008-07-17 11:06:45 ----A---- C:\WINDOWS\system32\mstask.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\isign32.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\inetcfg.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\icwphbk.dll
2008-07-17 11:06:44 ----A---- C:\WINDOWS\system32\icwdial.dll
2008-07-17 11:06:37 ----D---- C:\Program Files\Common Files\System
2008-07-17 11:06:33 ----D---- C:\Program Files\Internet Explorer
2008-07-17 11:05:45 ----D---- C:\Program Files\ComPlus Applications
2008-07-17 11:05:42 ----A---- C:\WINDOWS\vbaddin.ini
2008-07-17 11:05:42 ----A---- C:\WINDOWS\vb.ini
2008-07-17 11:05:35 ----D---- C:\WINDOWS\Registration
2008-07-17 11:05:24 ----D---- C:\Program Files\Windows Media Player
2008-07-17 11:05:24 ----D---- C:\Program Files\Online Services
2008-07-17 11:05:15 ----D---- C:\Program Files\Messenger
2008-07-17 11:05:10 ----D---- C:\Program Files\MSN Gaming Zone
2008-07-17 11:05:10 ----A---- C:\WINDOWS\system32\write.exe
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\sndvol32.exe
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\hticons.dll
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\avwav.dll
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\avtapi.dll
2008-07-17 11:04:57 ----A---- C:\WINDOWS\system32\avmeter.dll
2008-07-17 11:04:56 ----A---- C:\WINDOWS\system32\winchat.exe
2008-07-17 11:04:47 ----A---- C:\WINDOWS\system32\getuname.dll
2008-07-17 11:04:47 ----A---- C:\WINDOWS\system32\charmap.exe
2008-07-17 11:04:46 ----A---- C:\WINDOWS\system32\winmine.exe
2008-07-17 11:04:46 ----A---- C:\WINDOWS\system32\sol.exe
2008-07-17 11:04:46 ----A---- C:\WINDOWS\system32\calc.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\tskill.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\reset.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\mshearts.exe
2008-07-17 11:04:45 ----A---- C:\WINDOWS\system32\freecell.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\tslabels.ini
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\tscon.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\shadow.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\rwinsta.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\regini.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\qwinsta.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\qappsrv.exe
2008-07-17 11:04:44 ----A---- C:\WINDOWS\system32\msg.exe
2008-07-17 11:04:43 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2008-07-17 11:04:43 ----A---- C:\WINDOWS\system32\logoff.exe
2008-07-17 11:04:43 ----A---- C:\WINDOWS\system32\cdmodem.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\mtxex.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\mtxdm.dll
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2008-07-17 11:04:42 ----A---- C:\WINDOWS\system32\comaddin.dll
2008-07-17 11:04:41 ----A---- C:\WINDOWS\system32\stclient.dll
2008-07-17 11:04:41 ----A---- C:\WINDOWS\system32\comsnap.dll
2008-07-17 11:04:41 ----A---- C:\WINDOWS\system32\comrepl.dll
2008-07-17 11:04:34 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2008-07-17 11:04:20 ----D---- C:\Program Files\MSN
2008-07-17 11:04:19 ----A---- C:\WINDOWS\system32\accwiz.exe
2008-07-17 11:04:18 ----A---- C:\WINDOWS\system32\sndrec32.exe
2008-07-17 11:04:18 ----A---- C:\WINDOWS\system32\mplay32.exe
2008-07-17 11:04:18 ----A---- C:\WINDOWS\system32\hypertrm.dll
2008-07-17 11:04:17 ----D---- C:\Program Files\Windows NT
2008-07-17 11:04:17 ----A---- C:\WINDOWS\system32\mspaint.exe
2008-07-17 11:04:17 ----A---- C:\WINDOWS\system32\clipbrd.exe
2008-07-17 11:04:16 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2008-07-17 11:04:16 ----A---- C:\WINDOWS\system32\spider.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\sessmgr.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\remotepg.dll
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\rdshost.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\rdchost.dll
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\mstscax.dll
2008-07-17 11:04:15 ----A---- C:\WINDOWS\system32\mstsc.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\tscupgrd.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\termsrv.dll
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\rdpclip.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\qprocess.exe
2008-07-17 11:04:14 ----A---- C:\WINDOWS\system32\icaapi.dll
2008-07-17 11:04:13 ----D---- C:\WINDOWS\system32\MsDtc
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\mtxoci.dll
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2008-07-17 11:04:13 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\xolehlp.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\msdtctm.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\msdtclog.dll
2008-07-17 11:04:12 ----A---- C:\WINDOWS\system32\msdtc.exe
2008-07-17 11:04:11 ----D---- C:\WINDOWS\system32\Com
2008-07-17 11:04:11 ----A---- C:\WINDOWS\system32\colbact.dll
2008-07-17 11:04:11 ----A---- C:\WINDOWS\system32\clbcatex.dll
2008-07-17 11:04:11 ----A---- C:\WINDOWS\system32\catsrvps.dll
2008-07-17 11:04:10 ----A---- C:\WINDOWS\system32\catsrvut.dll
2008-07-17 11:04:10 ----A---- C:\WINDOWS\system32\catsrv.dll
2008-07-17 11:04:09 ----A---- C:\WINDOWS\system32\comuid.dll
2008-07-17 11:04:09 ----A---- C:\WINDOWS\system32\comsvcs.dll
2008-07-17 11:04:09 ----A---- C:\WINDOWS\system32\clbcatq.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\servdeps.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\mmfutil.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\licwmi.dll
2008-07-17 11:04:01 ----A---- C:\WINDOWS\system32\cmprops.dll
2008-07-17 07:01:19 ----A---- C:\WINDOWS\system32\h323log.txt
2008-07-16 13:52:40 ----A---- C:\WINDOWS\system32\irmon.dll
2008-07-16 13:52:39 ----A---- C:\WINDOWS\system32\wshirda.dll
2008-07-16 13:52:39 ----A---- C:\WINDOWS\system32\irftp.exe
2008-07-16 13:50:41 ----A---- C:\WINDOWS\system32\usbui.dll
2008-07-16 13:47:55 ----A---- C:\WINDOWS\imsins.BAK
2008-07-16 13:47:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-07-16 13:47:49 ----SHD---- C:\WINDOWS\Installer
2008-07-16 13:47:48 ----D---- C:\Program Files\Common Files\ODBC
2008-07-16 13:47:48 ----A---- C:\WINDOWS\ODBCINST.INI
2008-07-16 13:47:43 ----D---- C:\Program Files\Common Files\SpeechEngines
2008-07-16 13:47:42 ----RD---- C:\Program Files
2008-07-16 13:47:42 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-07-16 13:47:42 ----D---- C:\Program Files\Common Files
2008-07-16 13:47:36 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2008-07-16 13:47:36 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2008-07-16 13:47:36 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2008-07-16 13:47:33 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdur.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdru.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2008-07-16 13:47:32 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2008-07-16 13:47:29 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2008-07-16 13:47:26 ----RA---- C:\WINDOWS\system32\kbdest.dll
2008-07-16 13:47:23 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2008-07-16 13:47:23 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2008-07-16 13:47:23 ----RA---- C:\WINDOWS\system32\kbdro.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2008-07-16 13:47:22 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2008-07-16 13:47:17 ----A---- C:\WINDOWS\system32\irclass.dll
2008-07-16 13:47:17 ----A---- C:\WINDOWS\system32\dgsetup.dll
2008-07-16 13:47:17 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2008-07-16 13:47:16 ----A---- C:\WINDOWS\system32\spxcoins.dll
2008-07-16 13:47:16 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2008-07-16 13:47:13 ----A---- C:\WINDOWS\TASKMAN.EXE
2008-07-16 13:47:12 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2008-07-16 13:47:12 ----A---- C:\WINDOWS\system32\batt.dll
2008-07-16 13:47:11 ----A---- C:\WINDOWS\NOTEPAD.EXE
2008-07-16 13:47:05 ----A---- C:\WINDOWS\system32\storprop.dll
2008-07-16 13:46:48----ASH----C:\Documents and Settings\All Users\Application Data\desktop.ini
2008-07-16 13:46:48 ----RA---- C:\WINDOWS\SET2A.tmp
2008-07-16 13:46:47 ----RA---- C:\WINDOWS\SET29.tmp
2008-07-16 13:46:39 ----RA---- C:\WINDOWS\SET8.tmp
2008-07-16 13:46:35 ----RA---- C:\WINDOWS\SET4.tmp
2008-07-16 13:46:32 ----RA---- C:\WINDOWS\SET3.tmp
2008-07-16 13:46:21 ----D---- C:\WINDOWS\system32\CatRoot2
2008-07-16 13:46:21 ----D---- C:\WINDOWS\system32\CatRoot
2008-07-16 13:46:15 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-16 13:45:46 ----A---- C:\WINDOWS\setuplog.txt
2008-07-16 13:45:40 ----D---- C:\Documents and Settings
2008-07-16 13:44:44 ----SH---- C:\boot.ini
2008-07-16 13:38:23 ----SHD---- C:\System Volume Information
2008-07-16 13:29:21 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-07-16 13:29:21 ----RSD---- C:\WINDOWS\Fonts
2008-07-16 13:29:21 ----RD---- C:\WINDOWS\Web
2008-07-16 13:29:21 ----HD---- C:\WINDOWS\inf
2008-07-16 13:29:21 ----D---- C:\WINDOWS\WinSxS
2008-07-16 13:29:21 ----D---- C:\WINDOWS\twain_32
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Temp
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\wins
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\wbem
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\usmt
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\spool
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\ShellExt
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\Setup
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\ras
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\oobe
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\npp
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\mui
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\inetsrv
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\IME
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\icsxml
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\ias
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\export
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\drivers
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\dhcp
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\config
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\3com_dmi
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\3076
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\2052
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1054
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1042
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1041
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1037
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1033
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1031
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1028
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32\1025
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system32
2008-07-16 13:29:21 ----D---- C:\WINDOWS\system
2008-07-16 13:29:21 ----D---- C:\WINDOWS\security
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Resources
2008-07-16 13:29:21 ----D---- C:\WINDOWS\repair
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Provisioning
2008-07-16 13:29:21 ----D---- C:\WINDOWS\PeerNet
2008-07-16 13:29:21 ----D---- C:\WINDOWS\pchealth
2008-07-16 13:29:21 ----D---- C:\WINDOWS\mui
2008-07-16 13:29:21 ----D---- C:\WINDOWS\msapps
2008-07-16 13:29:21 ----D---- C:\WINDOWS\msagent
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Media
2008-07-16 13:29:21 ----D---- C:\WINDOWS\java
2008-07-16 13:29:21 ----D---- C:\WINDOWS\ime
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Help
2008-07-16 13:29:21 ----D---- C:\WINDOWS\ehome
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Driver Cache
2008-07-16 13:29:21 ----D---- C:\WINDOWS\dell
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Debug
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Cursors
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Connection Wizard
2008-07-16 13:29:21 ----D---- C:\WINDOWS\Config
2008-07-16 13:29:21 ----D---- C:\WINDOWS\AppPatch
2008-07-16 13:29:21 ----D---- C:\WINDOWS\addins
2008-07-16 13:29:21 ----D---- C:\WINDOWS

 

List of drivers

R1 APPDRV;APPDRV; C:\WINDOWS\system32\SYSTEM32\DRIVERS\APPDRV.SYS []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 OMCI;OMCI; C:\WINDOWS\system32\SYSTEM32\DRIVERS\OMCI.SYS []
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-07-17 17056]
R2 BASFND;BASFND; \??\C:\WINDOWS\system32\Drivers\BASFND.sys []
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 INO_FLTR;INO_FLTR; \??\C:\WINDOWS\system32\Drivers\ino_fltr.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2004-08-31 11354]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2008-03-29 125328]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-06-17 1041536]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2004-06-17 200064]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-11-02 773565]
R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP; C:\WINDOWS\system32\DRIVERS\iwca.sys [2004-08-12 234496]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2004-11-01 272568]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-10-21 3210496]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-06-17 685056]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2007-01-18 5275]
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []

List of services

R2 BAsfIpM;Broadcom ASF IP monitoring service v6.0.4; C:\WINDOWS\system32\basfipm.exe [2004-04-01 77824]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2008-04-17 1528608]
R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-09-07 86016]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-24 137200]
R2 iGateway;iTechnology iGateway 4.2; C:\PROGRAM FILES\CA\SharedComponents\iTechnology\igateway.exe [2007-02-05 106496]
R2 InoRPC;eTrust ITM RPC Service; C:\Program Files\CA\eTrustITM\InoRpc.exe [2007-01-16 198736]
R2 InoRT;eTrust Antivirus Realtime Service; C:\Program Files\CA\eTrustITM\InoRT.exe [2007-01-16 215120]
R2 InoTask;eTrust ITM Job Service; C:\Program Files\CA\eTrustITM\InoTask.exe [2008-07-17 386888]
R2 ITMRTSVC;CA Pest Patrol Realtime Protection Service; C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe [2007-09-05 278528]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe [2005-01-30 356352]
R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-09-07 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-09-07 360521]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WLANKEEPER;WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2004-09-07 225353]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------

 

When I try to shut down windows still just hangs and I have to physically turn it off.
When it boots back up this is the message that the Etrust Antivirus displays in three seperate boxes:

The Win32/SillyDl.FBJ was detected in C:\WINDOWS\TEMP\AS.EXE.
Machine: EBCKL-HV0CM91, User: System.
Status: File was cured; system cure performed.

The Win32/Hitpop!generic was detected in C:\WINDOWS\WFTADFI16_080906A.DLL.
Machine: EBCKL-HV0CM91, User: System.
Status: File was cured; system cure performed.

The Win32/Hitpop!generic was detected in C:\WINDOWS\SYSTEM32\INF\SCSYS16_080906.DLL.
Machine: EBCKL-HV0CM91, User: System.
Status: File was cured; system cure performed.

Then, after a bit another box pops up stating that I have to restart the computer to finish the removal process but it never shuts down and when booted up again, the same messages appear.

 

The files:
dwbins and mfrj are now back in the windows temp file as well :-( so it appears to be recreated everytime I boot up.

 

Hi
OK I'll make a fix.

Thanks
Geri

 

Thanks Geri,
I really appreciate this

 

OK lets delete them manually

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\TEMP\AS.EXE
C:\WINDOWS\Temp\dwbins.exe
C:\WINDOWS\Temp\mfrj.exe
C:\WINDOWS\WFTADFI16_080906A.DLL
C:\WINDOWS\SYSTEM32\INF\SCSYS16_080906.DLL


Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


After that, Reboot.

Let me know if you still get the warning.

Thanks

 

The only two files I could find were the dwbins and the mfrj and it would NOT let me delete them....said they were in use and access denied.
I'm assuming that is why the anti-virus program wants to reboot to remove them before they load.
Could I delete them in safe mode?

 

Could I delete them in safe mode?

Yes

 

Hey Geri,
Sorry I didn't respond last night but last night turned into this morning for me (haha). I was up all night and I tried everything I could think of but NOTHING worked. My husband leaves for the airport in 15 minutes so there's nothing more I can do.

When I booted into safe mode the files were no longer there, so there was nothing to delete. I did run MalWarebytes in safe mode and it found even more trojan agents than the first time. When I cleaned the computer in safe mode and when it booted back up, all seemed o.k. but once I had to shut down from normal mode, it hung, I had to power off and when it rebooted the trojan was back.
The homepage kept being hijacked even if I deleted the entry in hijackthis. The option to use "current page" for the default was also greyed out

I tried disabling running processes before shutting down, etc but nothing seemed to stop it. I also ran another Trend Micro housecall scan in normal mode and it found the same troj downloader which it supposedly removed. The Etrust anti-virus kept on popping up with the same messages that it found 3 viruses. It appeared to delete them but then they would show up again.

On another note, I thought something might have been related to the google toolbar so when I went to remove it from add/remove programs.....NOTHING showed. The box was blank (there were no programs showing in the add/remove box and I had to uninstall the toolbar through it's settings option. Even after I uninstalled it, there were instances of it running. I removed them through HJT and they still appeared on the next reboot.

Windows update was also NOT working. There were a half a dozen instances of update running in the processes so I thought that might be causing the shut down problem. When I ended all of those processes the computer still wouldn't shut down.

Sooooo, I'm stumped. I'm going to try and search it out a bit more today. Of course, even if I find the solution I don't have the computer in front of me anymore.

I would normally never resort to reformatting and reinstalling windows, but in this case, it might be the only way to get rid of this. If comes to that, I'll let the IT guys at his company take care of that

Anyway, I just wanted to say THANK YOU for all of the time and effort you put into helping me. This morning I signed up for my lifetime subscription to windowsbbs. Like I said previously, I have been coming here for 6 years and have always received excellent advice.

You guys/gals are awesome and I recommend this forum over all others for windows help.

Thanks so much again for all of your help!
I'll let you know if we ever do get the computer fixed....one way or another (haha).

 

Hi jazcan
Ok, Thanks for hanging in there.
Please let us know when you can work on it again, I will have Dave come in and take over.
He has been doing this for many more years then I have and I'm sure he can get this off the system.

Let us know.

Geri