Active Windows cannot find logon.exe

zhshqzyc · 2009/07/09

[Active] Windows cannot find logon.exe

When I turn on the computer and log in my account, a message pops up.
"Windows cannot find logon.exe. ..... "

I downloaded several anti malware software but I need to get the license to remove the worm.

One software prevx found the threat is lpadeg32.dll which in c:\windows\system32 and also it pointed out the registry key is in
Machine\Software\...

What I did is deleting the registry key only and the dll file is still there.

When I restart the machine, the error is still there.

I need to help. Does anybody know how to remove it or you have a better way?

Thanks

broni · 2009/07/09

Read this post, then post the requested log(s).

zhshqzyc · 2009/07/10

DDS (Ver_09-06-26.01) - NTFSx86
Run by hzhao at 13:33:37.60 on Fri 07/10/2009
Internet Explorer: 6.0.2900.5508
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2338 [GMT -4:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
G:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080317
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Shell=Explorer.exe logon.exe
BHO: SuperAdBlockerBHO Class: {00000000-6c30-11d8-9363-000ae6309654} - c:\program files\superadblocker.com\super ad blocker\SABBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Super Ad Blocker Toolbar: {b4b3001e-0f56-4e51-8250-bde11547ec55} - c:\program files\superadblocker.com\super ad blocker\sabtb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SuperAdBlocker] c:\program files\superadblocker.com\super ad blocker\SAdBlock.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe "
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe "
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe "
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe "
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe "
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe "
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Google IME Autoupdater] "c:\program files\google\google pinyin\GooglePinyinDaemon.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe "
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206723978061
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SABWinLogon - c:\program files\superadblocker.com\super ad blocker\SABWINLO.DLL
Notify: PFW - UmxWnp.Dll
{9dcb0ae8-633c-b1d2-29e1-3a811115121a}
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000d7} - c:\program files\superadblocker.com\super ad blocker\SABSEHB.DLL

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-6-24 93712]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-7-9 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-7-9 27656]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 115216]
R1 SABDIFSV;SABDIFSV;c:\program files\superadblocker.com\super ad blocker\sabdifsv.sys [2005-9-21 5632]
R1 SABKUTIL;SABKUTIL;c:\program files\superadblocker.com\super ad blocker\SABKUTIL.SYS [2007-2-20 32256]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-3-28 26376]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-3-28 21128]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-6-4 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-3-28 21512]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-3-28 32264]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-3-28 144960]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-7-9 4368952]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2006-4-14 14624]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-4 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-3-28 242952]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-3-17 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-3-17 7424]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-6-4 108368]
S3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2008-3-17 141376]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-07-09 19:05 <DIR> --d----- c:\docume~1\hzhao\applic~1\SuperAdBlocker.com
2009-07-09 19:04 <DIR> --d----- c:\program files\SuperAdBlocker.com
2009-07-09 19:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-09 18:54 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-07-09 18:54 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-07-09 18:54 <DIR> --d----- c:\program files\Prevx
2009-07-09 18:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-07-09 17:37 <DIR> --d----- c:\program files\Exterminate It!
2009-07-09 15:55 <DIR> --d----- c:\docume~1\hzhao\applic~1\Malwarebytes
2009-07-09 15:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 15:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 15:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 15:28 <DIR> --d----- c:\docume~1\hzhao\applic~1\True Sword
2009-07-09 15:27 356,352 a------- c:\windows\eSellerateEngine.dll
2009-07-09 15:27 81,920 a------- c:\windows\eSellerateControl350.dll
2009-07-09 15:27 <DIR> --d----- c:\program files\Windows Cannot Find Fix Wizard
2009-07-09 11:23 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-07-09 09:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure
2009-07-08 17:16 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-08 09:45 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner

==================== Find3M ====================

2009-07-10 13:26 431,658 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-07-10 13:26 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-07-08 11:02 93,545 a------- c:\windows\system32\nvModes.dat
2009-04-22 16:49 282,216 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-04-30 16:30 0 a------- c:\docume~1\hzhao\applic~1\wklnhst.dat
2008-03-17 01:35 76 ---shr-- c:\windows\CT4CET.bin
1989-12-31 21:01 53,248 ---sh--- c:\windows\system32\lpadeg32.dll

============= FINISH: 13:35:01.50 ===============

zhshqzyc · 2009/07/10

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/28/2008 2:12:48 AM
System Uptime: 7/10/2009 1:26:47 PM (0 hours ago)

Motherboard: Dell Inc. | | 0TT361
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 40 GiB total, 19.198 GiB free.
D: is FIXED (NTFS) - 106 GiB total, 45.449 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/9/2009 6:14:52 PM - System Checkpoint
RP2: 7/9/2009 7:04:58 PM - Installed Super Ad Blocker
RP3: 7/10/2009 9:16:23 AM - Software Distribution Service 3.0

==== Installed Programs ======================

???????
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.60 beta
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Advanced Audio FX Engine
Advanced Video FX Engine
AdventureWorksDB
Broadcom Management Programs
Browser Address Error Redirector
CA Anti-Spam
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CA Personal Firewall
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 8
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Network Assistant
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
Digital Line Detect
Exterminate It!
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
IntelliSonic Speech Enhancement
Java(TM) 6 Update 7
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office 2003 Web Components
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Word MUI (English) 2007
Microsoft Report Viewer Redistributable 2005
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2000 Sample Database Scripts
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (SQLEXPRESS)
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English) (September 2007)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Reporting Services (SQLEXPRESS)
Microsoft SQL Server 2005 Tools
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Works
Modem Diagnostic Tool
MSDN Library for Microsoft Visual Studio 2008 Express Editions
MSXML 6.0 Parser
NetWaiting
NTI Ripper
NTI Shadow 3
NVIDIA Drivers
OutlookAddinSetup
Prevx 3.0
QuickSet
RegCure 1.6.0.0
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
SearchAssist
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Visio 2007 (KB947590)
Security Update for Windows XP (KB958644)
SigmaTel Audio
Sonic Activation Module
SQL Server System CLR Types
Super Ad Blocker
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb970012)
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Cannot Find Fix Wizard
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

7/9/2009 9:31:45 AM, error: NetBT [4321] - The name "WM_TBROWNE :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/9/2009 9:29:48 AM, error: NetBT [4321] - The name "HZHAO :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/7/2009 9:28:56 AM, error: NetBT [4321] - The name "RDLT_DELLM1330 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/7/2009 9:28:24 AM, error: NetBT [4321] - The name "DMLT_DELLE6400 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/7/2009 9:28:24 AM, error: NetBT [4321] - The name "ASLT_DELL1400 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/7/2009 9:26:05 AM, error: NetBT [4321] - The name "SPICA :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/7/2009 11:35:04 AM, error: NetBT [4321] - The name "RH_LP1400 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/7/2009 11:34:30 AM, error: NetBT [4321] - The name "RHXVM-43B70-2 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:52:18 AM, error: NetBT [4321] - The name "DEMO_VMHH :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:52:17 AM, error: NetBT [4321] - The name "RBLT_D630 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:52:13 AM, error: NetBT [4321] - The name "LT_DB_E6400 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:52:12 AM, error: NetBT [4321] - The name "PLSZ330_NB :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:51:58 AM, error: NetBT [4321] - The name "BBY43C-INSTALL :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:51:46 AM, error: NetBT [4321] - The name "LTJD_M1330 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:51:35 AM, error: NetBT [4321] - The name "DEMO-PC :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:51:09 AM, error: NetBT [4321] - The name "BBY09999R001 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:50:21 AM, error: NetBT [4321] - The name "SS-GATEWAYGT502:0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:50:18 AM, error: NetBT [4321] - The name "MEGABUILD :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:49:52 AM, error: NetBT [4321] - The name "LTHB_E6400 :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:49:31 AM, error: NetBT [4321] - The name "DH-DESKTOPVISTA:0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:47:05 AM, error: NetBT [4321] - The name "REGULUS :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:46:53 AM, error: NetBT [4321] - The name "SPICA :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.3 did not allow the name to be claimed by this machine.
7/6/2009 9:46:53 AM, error: NetBT [4321] - The name "HADAR :0" could not be registered on the Interface with IP address 192.168.1.158. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:46:19 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.158 with the system having network hardware address 00:23:AE:1D:60:EE. Network operations on this system may be disrupted as a result.
7/6/2009 9:42:45 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.158 with the system having network hardware address 00:24:2B:93:29:97. Network operations on this system may be disrupted as a result.
7/6/2009 9:42:36 AM, error: smtpsvc [1004] - Virtual server 1 was unable to register itself and the local delivery sink with the event binding database. Server events and local delivery will not function properly for this virtual server.
7/6/2009 9:42:36 AM, error: smtpsvc [1002] - Server events initialization failed for virtual server 1. Server events may not be called for this virtual server.
7/6/2009 9:41:24 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.149 with the system having network hardware address 00:24:2B:93:29:97. Network operations on this system may be disrupted as a result.
7/6/2009 9:38:43 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2 (KB 921896).
7/6/2009 9:34:34 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.165 with the system having network hardware address 00:24:2B:93:29:97. Network operations on this system may be disrupted as a result.
7/6/2009 9:34:13 AM, error: NetBT [4321] - The name "VEGA :0" could not be registered on the Interface with IP address 192.168.1.165. The machine with the IP address 192.168.1.6 did not allow the name to be claimed by this machine.
7/6/2009 9:34:13 AM, error: NetBT [4321] - The name "SIRIUS :0" could not be registered on the Interface with IP address 192.168.1.165. The machine with the IP address 192.168.1.7 did not allow the name to be claimed by this machine.
7/6/2009 9:33:53 AM, error: NetBT [4321] - The name "SPICA :0" could not be registered on the Interface with IP address 192.168.1.165. The machine with the IP address 192.168.1.2 did not allow the name to be claimed by this machine.
7/6/2009 9:33:43 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.165 with the system having network hardware address 00:23:AE:1D:60:EE. Network operations on this system may be disrupted as a result.
7/6/2009 10:09:24 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
7/6/2009 1:31:16 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================

broni · 2009/07/10

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

zhshqzyc · 2009/07/10

Okay. By the way, my computer cannot start from the safe mode.
An error encountered:
STOP then a long physical address which I don't understand.

After I double click ComboFix, a message pops up.

The machine does not have the 'Microsoft Windows recovery console' installed.
Without it, Combofix shall not attempt the fixing of some serious infections.

So shall I connect the internet or download it from another computer then copy to somewhere?

broni · 2009/07/10

my computer cannot start from the safe mode
Click to expand...

Don't worry about it for now.

So shall I connect the internet
Click to expand...

Yes, and allow RC installation.

zhshqzyc · 2009/07/10

Okay. I may need some time to find rc.
Actually I got one but it is not working because it cannot find \i386\winn32.exe.

broni · 2009/07/10

Combofix will install RC for you. Run it again, and simply agree to RC installation.

zhshqzyc · 2009/07/10

But this ComboFix will disconnect the internet connection after I click "Yes ".

broni · 2009/07/10

No. Double check the sequence of the steps here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

zhshqzyc · 2009/07/11

ComboFix 09-07-09.08 - hzhao 07/11/2009 9:11.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2392 [GMT -4:00]
Running from: G:\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-10 19:34 . 2009-07-10 19:39 -------- d-----w- c:\program files\XoftSpySE
2009-07-10 18:43 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-10 18:35 . 2009-07-10 18:35 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-10 18:35 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-10 18:34 . 2009-07-10 18:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 18:34 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-10 18:34 . 2009-07-10 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 18:34 . 2009-07-10 18:34 -------- d-----w- c:\program files\Lavasoft
2009-07-10 18:15 . 2009-07-10 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-07-09 23:05 . 2009-07-09 23:05 -------- d-----w- c:\documents and settings\hzhao\Application Data\SuperAdBlocker.com
2009-07-09 23:04 . 2009-07-10 13:20 -------- d-----w- c:\program files\SuperAdBlocker.com
2009-07-09 22:17 . 2009-07-09 22:23 -------- d-----w- c:\windows\BDOSCAN8
2009-07-09 21:37 . 2009-07-10 18:07 -------- d-----w- c:\program files\Exterminate It!
2009-07-09 19:55 . 2009-07-09 19:55 -------- d-----w- c:\documents and settings\hzhao\Application Data\Malwarebytes
2009-07-09 19:55 . 2009-07-09 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 19:28 . 2009-07-09 19:28 -------- d-----w- c:\documents and settings\hzhao\Application Data\True Sword
2009-07-09 19:27 . 2009-07-09 19:27 -------- d-----w- c:\program files\Windows Cannot Find Fix Wizard
2009-07-09 19:27 . 2005-10-11 19:40 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-07-09 19:27 . 2003-06-06 16:21 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-07-09 15:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-07-09 13:30 . 2009-07-09 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-07-09 13:30 . 2009-07-09 13:54 -------- d-----w- c:\program files\RegCure
2009-07-08 21:16 . 2009-07-08 21:16 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-08 13:45 . 2009-07-09 13:49 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-07-01 13:22 . 2008-06-04 12:48 1385760 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-06-29 14:15 . 2009-06-29 14:15 -------- d-----w- c:\documents and settings\hzhao\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 13:06 . 2008-04-16 13:10 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-11 13:04 . 2008-03-17 05:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-07-11 02:30 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-07-11 02:30 . 2008-03-28 22:36 431658 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-07-10 20:44 . 2008-12-02 21:23 -------- d-----w- c:\documents and settings\hzhao\Application Data\U3
2009-07-09 14:05 . 2008-05-09 14:28 165232 ---ha-w- c:\documents and settings\hzhao\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-07-09 13:59 . 2009-04-20 23:26 120208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-08 15:02 . 2008-03-17 05:20 93545 ----a-w- c:\windows\system32\nvModes.dat
2009-06-16 13:07 . 2008-03-28 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-15 13:16 . 2008-03-17 05:43 -------- d-----w- c:\program files\Microsoft Works
2009-04-22 20:49 . 2009-07-09 22:14 282216 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2008-03-17 05:35 . 2008-03-17 05:35 76 --sh--r- c:\windows\CT4CET.bin
1990-01-01 01:01 . 1990-01-01 01:01 53248 --sh--w- c:\windows\system32\lpadeg32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-11_02.25.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 13:05 . 2009-07-11 13:05 16384 c:\windows\temp\Perflib_Perfdata_a80.dat
+ 2009-07-08 21:15 . 2009-07-11 13:02 237284 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-03-20 15360]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-17 68856]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-03-20 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-09-24 8466432]
"OEM02Mon.exe "= "c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"DELL Webcam Manager "= "c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc "= "c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService "= "c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter "= "c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"cctray "= "c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-30 177392]
"CAVRID "= "c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-07-31 1193200]
"capfasem "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-07-31 173296]
"capfupgrade "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-07-31 259312]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Google IME Autoupdater "= "c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SigmatelSysTrayApp "= "c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-24 1626112]
"NVHotkey "= "nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-09-24 67584]
"NvMediaCenter "= "NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-09-24 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-17 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-17 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe "=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP "= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP "= 10426:UDP:SingleClick ICC

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/10/2009 2:35 PM 64160]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [4/14/2006 9:59 AM 14624]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/4/2007 8:23 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 8:39 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [3/17/2008 1:13 AM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [3/17/2008 1:13 AM 7424]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [3/17/2008 1:13 AM 141376]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-11 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-11 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-07-08 14:33]

2009-07-10 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-07-08 14:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\VetRedir.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 09:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\ÃºWcwYe^yf[.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
@= "{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC} "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1388)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(4104)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\btmmhook.dll
.
Completion time: 2009-07-11 9:15
ComboFix-quarantined-files.txt 2009-07-11 13:15
ComboFix2.txt 2009-07-11 02:27

Pre-Run: 21,033,549,824 bytes free
Post-Run: 21,014,319,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

226 --- E O F --- 2009-07-11 13:06

broni · 2009/07/11

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\lpadeg32.dll


Folder::

Driver::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

RegLockDel::
[-HKEY_LOCAL_MACHINE\software\Classes\ÃºWcwYe^yf[.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

zhshqzyc · 2009/07/11

ComboFix 09-07-09.08 - hzhao 07/11/2009 17:57.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2452 [GMT -4:00]
Running from: G:\ComboFix.exe
Command switches used :: G:\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

FILE ::
"c:\windows\system32\lpadeg32.dll "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lpadeg32.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-10 19:34 . 2009-07-10 19:39 -------- d-----w- c:\program files\XoftSpySE
2009-07-10 18:43 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-10 18:35 . 2009-07-10 18:35 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-10 18:35 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-10 18:34 . 2009-07-10 18:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 18:34 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-10 18:34 . 2009-07-10 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 18:34 . 2009-07-10 18:34 -------- d-----w- c:\program files\Lavasoft
2009-07-10 18:15 . 2009-07-10 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-07-09 23:05 . 2009-07-09 23:05 -------- d-----w- c:\documents and settings\hzhao\Application Data\SuperAdBlocker.com
2009-07-09 23:04 . 2009-07-10 13:20 -------- d-----w- c:\program files\SuperAdBlocker.com
2009-07-09 22:17 . 2009-07-09 22:23 -------- d-----w- c:\windows\BDOSCAN8
2009-07-09 21:37 . 2009-07-10 18:07 -------- d-----w- c:\program files\Exterminate It!
2009-07-09 19:55 . 2009-07-09 19:55 -------- d-----w- c:\documents and settings\hzhao\Application Data\Malwarebytes
2009-07-09 19:55 . 2009-07-09 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 19:28 . 2009-07-09 19:28 -------- d-----w- c:\documents and settings\hzhao\Application Data\True Sword
2009-07-09 19:27 . 2009-07-09 19:27 -------- d-----w- c:\program files\Windows Cannot Find Fix Wizard
2009-07-09 19:27 . 2005-10-11 19:40 356352 ----a-w- c:\windows\eSellerateEngine.dll
2009-07-09 19:27 . 2003-06-06 16:21 81920 ----a-w- c:\windows\eSellerateControl350.dll
2009-07-09 15:23 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-07-09 13:30 . 2009-07-09 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-07-09 13:30 . 2009-07-09 13:54 -------- d-----w- c:\program files\RegCure
2009-07-08 21:16 . 2009-07-08 21:16 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-08 13:45 . 2009-07-09 13:49 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-07-01 13:22 . 2008-06-04 12:48 1385760 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-06-29 14:15 . 2009-06-29 14:15 -------- d-----w- c:\documents and settings\hzhao\Application Data\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 21:50 . 2008-03-17 05:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-07-11 13:17 . 2008-03-28 22:36 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-07-11 13:17 . 2008-03-28 22:36 433178 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-07-11 13:06 . 2008-04-16 13:10 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-10 20:44 . 2008-12-02 21:23 -------- d-----w- c:\documents and settings\hzhao\Application Data\U3
2009-07-09 14:05 . 2008-05-09 14:28 165232 ---ha-w- c:\documents and settings\hzhao\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-07-09 13:59 . 2009-04-20 23:26 120208 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-08 15:02 . 2008-03-17 05:20 93545 ----a-w- c:\windows\system32\nvModes.dat
2009-06-16 13:07 . 2008-03-28 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-15 13:16 . 2008-03-17 05:43 -------- d-----w- c:\program files\Microsoft Works
2009-04-22 20:49 . 2009-07-09 22:14 282216 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2008-03-17 05:35 . 2008-03-17 05:35 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( SnapShot@2009-07-11_02.25.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-08 21:15 . 2009-07-11 21:52 237288 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-03-20 15360]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-17 68856]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-03-20 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint "= "c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-09-24 8466432]
"OEM02Mon.exe "= "c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"DELL Webcam Manager "= "c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc "= "c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService "= "c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter "= "c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate "= "c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"cctray "= "c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-30 177392]
"CAVRID "= "c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-07-31 1193200]
"capfasem "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-07-31 173296]
"capfupgrade "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-07-31 259312]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DellSupportCenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Google IME Autoupdater "= "c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"SigmatelSysTrayApp "= "c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-24 1626112]
"NVHotkey "= "nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-09-24 67584]
"NvMediaCenter "= "NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-09-24 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-3-17 7168]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-17 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe "=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP "= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP "= 10426:UDP:SingleClick ICC

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/10/2009 2:35 PM 64160]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe [4/14/2006 9:59 AM 14624]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/4/2007 8:23 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 8:39 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [3/17/2008 1:13 AM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [3/17/2008 1:13 AM 7424]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [3/17/2008 1:13 AM 141376]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-11 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-11 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-09 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-07-11 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-07-08 14:33]

2009-07-10 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-07-08 14:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\VetRedir.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 18:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\ÃºWcwYe^yf[.*M*y*N*S*H*a*n*d*l*e*r*\Clsid]
@= "{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC} "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1384)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-07-11 18:02
ComboFix-quarantined-files.txt 2009-07-11 22:02
ComboFix2.txt 2009-07-11 13:15
ComboFix3.txt 2009-07-11 02:27

Pre-Run: 21,289,861,120 bytes free
Post-Run: 21,271,543,808 bytes free

216 --- E O F --- 2009-07-11 13:06

zhshqzyc · 2009/07/11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:20 PM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080317
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe "
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe "
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206723978061
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12391 bytes

broni · 2009/07/11

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, mark the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

Post fresh HijackThis log as well.

zhshqzyc · 2009/07/11

It is strange. I have not found combofix in my computer. I copyed it in the flash driver and installed it then scaned the compuer. Is that okay?

broni · 2009/07/11

The instructions clearly said to run it from the desktop. It's important for number of reasons.
In your case, you're gonna be fine, but, please keep in mind for the future to follow exact instructions.
Proceed to Dr.Web.

zhshqzyc · 2009/07/12

I found the error disappeared suddenly before Dr.Web CureIt. Not sure why.
The log files below.

zhshqzyc · 2009/07/12

autorun.inf;g:;Probably Win32.HLLW.Autoruner.corrupted;Moved.;
CannotFindFixWizard.exe;C:\Program Files\Windows Cannot Find Fix Wizard;Probably STPAGE.Trojan;Incurable.Deleted.;
WindowsCannotFindFixWizard.exe\data001;G:\WindowsCannotFindFixWizard.exe;Probably STPAGE.Trojan;;
WindowsCannotFindFixWizard.exe;G:\;Archive contains infected objects;Moved.;

Log in or Sign up

Active Windows cannot find logon.exe

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

zhshqzyc Inactive Thread Starter

Share This Page

Log in or Sign up

Active Windows cannot find logon.exe

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

broni Moderator Malware Analyst

zhshqzyc Inactive Thread Starter

zhshqzyc Inactive Thread Starter

Share This Page

Useful Searches