msmbsr.exe, wsldoekd.exe and others

Runningonempty · 08-29-2008, 08:55 PM

I've picked up a virus that executes several exe files: afisicx.exe, macidwe.exe, noxtcyr.exe, roxtctm.exe, sobicyt.exe, tdxdowkc.exe and wsldoekd.exe from what I can tell. I have tried to clean these out, killing the services and removing from the registry but they keep coming back. I actually watched them install and was able to grab an install.txt file from one of them. I'm just so-so with my technical skills and need some help.

Thanks!

---------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39, on 2008-08-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CA_LIC\lic98rmt.exe
C:\infoUSA\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Orl\VNC\WinVNC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\dllhost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/US/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Orl\VNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: drives.bat
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: infoUSA VPN Client.lnk = C:\infoUSA\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.bmc (HKLM)
O15 - Trusted Zone: http://*.goober (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.infousa.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.infousa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.infousa.com
O23 - Service: afisicx Corporation inc. (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\infoUSA\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\system32\Hummbird\inetd32.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: macidwe Event propagation service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Windows All Device Management Services (msjetwod) - Unknown owner - C:\WINDOWS\system32\msjetwo.exe
O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
O23 - Service: roxtctm Portable Media Serial Service (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sotpeca Portable Media Serial Service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: tdxdowkc Event propagation service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinVNC - RealVNC Ltd. - C:\Program Files\Orl\VNC\WinVNC.exe
O23 - Service: wsldoekd Event propagation service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 9656 bytes

-------------------
ComboFix 08-08-28.06 - ReginaJ 2008-08-29 10:57:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT -5:00]
Running from: C:\Documents and Settings\reginaj\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\bin.clearspring.com
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\bin.clearspring.com \clearspring.sol
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\interclick.com
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\interclick.com\ud.s ol
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin .clearspring.com
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin .clearspring.com\settings.sol
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com
C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com\settings.sol
C:\Documents and Settings\reginaj\Cookies\reginaj@146.145.204[1].txt
C:\WINDOWS\Install.txt
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\oduxftw.sys
C:\WINDOWS\system32\rtl60.bpl

----- BITS: Possible infected sites -----

http://wsus
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MACIDWE
-------\Legacy_NOXTCYR
-------\Legacy_ROXTCTM
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSLDOEKD

((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 11:04 . 2008-08-29 11:04 104 --a------ C:\WINDOWS\system32\NvApps.xml
2008-08-28 15:52 . 2008-08-28 16:14 <DIR> d-------- C:\HijackThis
2008-08-27 08:15 . 2008-08-27 08:15 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-08-22 00:43 . 2008-08-22 00:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-22 00:26 . 2008-08-25 15:14 <DIR> d-------- C:\quarantine
2008-08-20 12:01 . 2008-08-20 12:01 56,912 --a------ C:\Documents and Settings\reginaj\g2mdlhlpx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-08-29 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-20 17:01 --------- d-----w C:\Program Files\Citrix
2008-08-19 21:28 --------- d-----w C:\Documents and Settings\reginaj\Application Data\FileZilla
2008-07-15 20:50 --------- d-----w C:\Documents and Settings\reginaj\Application Data\AdobeUM
2008-07-09 21:05 --------- d-----w C:\Program Files\Ultimate Technographics
2008-07-09 20:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 20:06 --------- d-----w C:\Program Files\DemoForge
2008-07-09 20:05 93,057,827 ----a-w C:\Impostrip_Card_Stacker_1.2.zip
2008-07-09 18:46 --------- d-----w C:\Documents and Settings\reginaj\Application Data\PACE Anti-Piracy
2008-07-09 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2008-07-09 18:45 --------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy
2008-07-09 18:22 --------- d-----w C:\Program Files\InterLok
2008-07-09 18:21 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2008-05-29 19:12 15,096 ----a-w C:\Documents and Settings\reginaj\Start Menu.zip
2008-02-27 17:15 1,723,432 ----a-w C:\Documents and Settings\All Users\Application Data\Yugma-Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 16:10 851968]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-02-22 05:46 13508608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2008-03-05 14:14 331851]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 15:06 136512]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 08:00 98304]
"WinVNC"="C:\Program Files\Orl\VNC\winvnc.exe" [2003-03-05 14:49 335872]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 09:00 1116920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-06-10 21:27 413696]
"nwiz"="nwiz.exe" [2008-02-22 05:46 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2008-02-22 05:46 86016 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2008-02-22 05:46 86016 C:\WINDOWS\system32\nvmctray.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 15:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\reginaj\Start Menu\Programs\Startup\
drives.bat [2008-06-23 08:56:40 91]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-08 19:07:37 110592]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-12 09:02:01 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
infoUSA VPN Client.lnk - C:\infoUSA\VPN Client\vpngui.exe [2008-05-08 16:10:00 1426424]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3658379808-1708799015-1379952707-29693\Scripts\Logon\0\0]
"Script"=\\Wile\NETLOGON\ULite\ULite33 App.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLAR TL_M.SYS [2006-08-11 10:35]
R2 CA_LIC_CLNT;CA License Client;C:\CA_LIC\lic98rmt.exe [2003-10-12 10:20]
R2 LogWatch;Event Log Watch;C:\CA_LIC\LogWatNT.exe [2002-09-20 07:29]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmi rage.sys [2005-11-25 17:43]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.s ys [2007-11-19 17:01]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;C:\WINDOWS\system32\DRIVERS\nwdelmdm.sys [2007-11-02 15:41]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwdelser.sys [2007-11-02 15:41]
S2 msjetwod;Windows All Device Management Services;C:\WINDOWS\system32\msjetwo.exe [2004-08-04 00:56]
S3 CA_LIC_SRVR;CA License Server;C:\CA_LIC\lic98rmtd.exe [2003-04-07 06:45]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-06-14 14:57]
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 05:45]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 05:45]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 05:45]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 19:30]
S3 vsinstdv;vsinstdv;C:\DOCUME~1\reginaj\LOCALS~1\Tem p\{61B245E9-100A-46E9-8760-31EBEC18F586}\vsinstdv.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://edition.cnn.com/US/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 11:04:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\CSGina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\infoUSA\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\product\10.2.0\client_1\BIN\omtsreco.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
************************************************** ************************
.
Completion time: 2008-08-29 11:10:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 16:10:32

Pre-Run: 95,414,767,616 bytes free
Post-Run: 95,680,667,648 bytes free

177 --- E O F --- 2008-08-23 07:06:35

I reran combofix and the exe's were back again!

cohen · 08-30-2008, 08:24 AM

OK, well combo fix did a few deletions.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post.

also post a fresh hijackthis log

Thanks,

Runningonempty · 08-30-2008, 09:00 PM

The exe's re-installed again so I re-ran ComboFix.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 30, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 30, 2008 16:36:58
Records in database: 1169408
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
P:\
U:\
X:\
Y:\

Scan statistics:
Files scanned: 69739
Threat name: 7
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 01:20:39

File name / Threat name / Threats count
C:\Program Files\Orl\VNC\WinVNC.exe/C:\Program Files\Orl\VNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\Orl\VNC\othread2.dll/C:\Program Files\Orl\VNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Documents and Settings\reginaj\My Documents\Enterprise32V6\Code39\smart-keystroke-recorder-setup.exe Infected: not-a-virus:Monitor.Win32.SKRecorder.a 2
C:\Documents and Settings\reginaj\Yugma\lib\DskHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\reginaj\Yugma\lib\YugmaPlugin.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\Program Files\Orl\VNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\Orl\VNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oduxftw.sy s.vir Infected: Trojan-Clicker.Win32.VB.brv 1
C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7G7GT75T\msblk[1].bin Infected: Trojan-Downloader.Win32.Delf.mxf 1
C:\WINDOWS\system32\msmbsr.exe Infected: Trojan-Downloader.Win32.Delf.mxf 1

The selected area was scanned.

****************************
________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53, on 2008-08-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\CA_LIC\lic98rmt.exe
C:\infoUSA\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\CA_LIC\LogWatNT.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Orl\VNC\WinVNC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Dell\Dell Mobile Broadband\DMBCU.exe
C:\PROGRA~1\Dell\DELLMO~1\Phoenix.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/US/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Orl\VNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: drives.bat
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: infoUSA VPN Client.lnk = C:\infoUSA\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.bmc (HKLM)
O15 - Trusted Zone: http://*.goober (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.infousa.com
O17 - HKLM\Software\..\Telephony: DomainName = intra.infousa.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{71A227E0-18EA-490C-9AB6-28F1FE4165FC}: NameServer = 66.174.95.44 66.174.92.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.infousa.com
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\infoUSA\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\system32\Hummbird\inetd32.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Windows All Device Management Services (msjetwod) - Unknown owner - C:\WINDOWS\system32\msjetwo.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinVNC - RealVNC Ltd. - C:\Program Files\Orl\VNC\WinVNC.exe

--
End of file - 9253 bytes

cohen · 08-31-2008, 02:44 AM

OK,

well there are a few things that are infected there and will need to be cleared up, so i'll leave that to ceewi1.

Ceewi1 will post further instructions to clear up the problem.

Cheers for now.

Runningonempty · 08-31-2008, 11:29 PM

Okay. Thank you for your assistance. I'll await the next reply.

**ceewi1** · 09-01-2008, 12:48 PM

Do you recognise and trust the sites in the following entries?:
O15 - Trusted Zone: http://*.bmc (HKLM)
O15 - Trusted Zone: http://*.goober (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)

If not, please run HijackThis place a check next to those entries and click on Fix checked.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
File::
C:\WINDOWS\system32\msjetwo.exe
C:\WINDOWS\system32\msmbsr.exe

Driver::
msjetwod
vsinstdv
```
Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please click on Start -> Run. Type the following command and click OK:
notepad "%userprofile%/Start Menu/Programs/Startup/drives.bat"

This should open up a Notepad window, please copy and past the contents into your next reply.

Please post

The ComboFix log
The Notepad document produced by running the above command
A new HijackThis log
An update on how your system is running now

Runningonempty · 09-03-2008, 05:46 PM

The "drives.bat" is a personal batch file to map network drives that will override the login script drive settings. I have attached the files requested. So far things look better.

Based on the filenames that were part of this virus do you think that any personal info from the PC was at risk?

**ceewi1** · 09-04-2008, 01:26 PM

Great, please also delete this file if it exists:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7G7GT75T\msblk[1].bin

I think it unlikely that these infections pose a threat to your personal info. I assume that you installed WinVNC yourself, it is a perfectly legitimate program, but if installed by someone else without your consent could allow them to access your files. There also appears to be the setup file for a keylogger on your computer: C:\Documents and Settings\reginaj\My Documents\Enterprise32V6\Code39\smart-keystroke-recorder-setup.exe. It does not appear to be installed, but if installed without your permission could compromise any personal information you enter.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

Runningonempty · 09-04-2008, 04:17 PM

Thank you x3. Everything works great now. FireFox is now installed and I am putting the rest of your advice into action as I type.

08-29-2008, 08:55 PM	#1 (permalink)
Runningonempty New Member Join Date: Aug 2008 Posts: 4	msmbsr.exe, wsldoekd.exe and others I've picked up a virus that executes several exe files: afisicx.exe, macidwe.exe, noxtcyr.exe, roxtctm.exe, sobicyt.exe, tdxdowkc.exe and wsldoekd.exe from what I can tell. I have tried to clean these out, killing the services and removing from the registry but they keep coming back. I actually watched them install and was able to grab an install.txt file from one of them. I'm just so-so with my technical skills and need some help. Thanks! --------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:39, on 2008-08-29 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\CA_LIC\lic98rmt.exe C:\infoUSA\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\Hummbird\inetd32.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\CA_LIC\LogWatNT.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\StacSV.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Orl\VNC\WinVNC.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\stsystra.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Dell\Dell Mobile Broadband\systray.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\sotpeca.exe C:\WINDOWS\system32\dllhost.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/US/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Orl\VNC\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: drives.bat O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: infoUSA VPN Client.lnk = C:\infoUSA\VPN Client\vpngui.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.bmc (HKLM) O15 - Trusted Zone: http://.goober (HKLM) O15 - ESC Trusted Zone: http://www.wise.com O15 - ESC Trusted Zone: http://www.wise.com (HKLM) O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.infousa.com O17 - HKLM\Software\..\Telephony: DomainName = intra.infousa.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.infousa.com O23 - Service: afisicx Corporation inc. (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\infoUSA\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\system32\Hummbird\inetd32.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe O23 - Service: macidwe Event propagation service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Windows All Device Management Services (msjetwod) - Unknown owner - C:\WINDOWS\system32\msjetwo.exe O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe O23 - Service: roxtctm Portable Media Serial Service (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe O23 - Service: sotpeca Portable Media Serial Service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: tdxdowkc Event propagation service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WinVNC - RealVNC Ltd. - C:\Program Files\Orl\VNC\WinVNC.exe O23 - Service: wsldoekd Event propagation service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 9656 bytes ------------------- ComboFix 08-08-28.06 - ReginaJ 2008-08-29 10:57:45.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT -5:00] Running from: C:\Documents and Settings\reginaj\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\bin.clearspring.com C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\bin.clearspring.com \clearspring.sol C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\interclick.com C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\#SharedObjects\AVMFQ9H2\interclick.com\ud.s ol C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin .clearspring.com C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin .clearspring.com\settings.sol C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com C:\Documents and Settings\reginaj\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com\settings.sol C:\Documents and Settings\reginaj\Cookies\reginaj@146.145.204[1].txt C:\WINDOWS\Install.txt C:\WINDOWS\system32\atsxyzd.sys C:\WINDOWS\system32\Cache C:\WINDOWS\system32\comsa32.sys C:\WINDOWS\system32\oduxftw.sys C:\WINDOWS\system32\rtl60.bpl ----- BITS: Possible infected sites ----- http://wsus . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFISICX -------\Legacy_MACIDWE -------\Legacy_NOXTCYR -------\Legacy_ROXTCTM -------\Legacy_SOBICYT -------\Legacy_TDXDOWKC -------\Legacy_WSLDOEKD ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 ))))))))))))))))))))))))))))))) . 2008-08-29 11:04 . 2008-08-29 11:04 104 --a------ C:\WINDOWS\system32\NvApps.xml 2008-08-28 15:52 . 2008-08-28 16:14 <DIR> d-------- C:\HijackThis 2008-08-27 08:15 . 2008-08-27 08:15 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData 2008-08-22 00:43 . 2008-08-22 00:43 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-08-22 00:26 . 2008-08-25 15:14 <DIR> d-------- C:\quarantine 2008-08-20 12:01 . 2008-08-20 12:01 56,912 --a------ C:\Documents and Settings\reginaj\g2mdlhlpx.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-08-29 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-08-20 17:01 --------- d-----w C:\Program Files\Citrix 2008-08-19 21:28 --------- d-----w C:\Documents and Settings\reginaj\Application Data\FileZilla 2008-07-15 20:50 --------- d-----w C:\Documents and Settings\reginaj\Application Data\AdobeUM 2008-07-09 21:05 --------- d-----w C:\Program Files\Ultimate Technographics 2008-07-09 20:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-09 20:06 --------- d-----w C:\Program Files\DemoForge 2008-07-09 20:05 93,057,827 ----a-w C:\Impostrip_Card_Stacker_1.2.zip 2008-07-09 18:46 --------- d-----w C:\Documents and Settings\reginaj\Application Data\PACE Anti-Piracy 2008-07-09 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy 2008-07-09 18:45 --------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy 2008-07-09 18:22 --------- d-----w C:\Program Files\InterLok 2008-07-09 18:21 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys 2008-05-29 19:12 15,096 ----a-w C:\Documents and Settings\reginaj\Start Menu.zip 2008-02-27 17:15 1,723,432 ----a-w C:\Documents and Settings\All Users\Application Data\Yugma-Uninstaller.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 16:10 851968] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-02-22 05:46 13508608] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2008-03-05 14:14 331851] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 15:06 136512] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 08:00 98304] "WinVNC"="C:\Program Files\Orl\VNC\winvnc.exe" [2003-03-05 14:49 335872] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152] "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784] "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 09:00 1116920] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 16:50 221184] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-06-10 21:27 413696] "nwiz"="nwiz.exe" [2008-02-22 05:46 1626112 C:\WINDOWS\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2008-02-22 05:46 86016 C:\WINDOWS\system32\nvhotkey.dll] "NvMediaCenter"="NvMCTray.dll" [2008-02-22 05:46 86016 C:\WINDOWS\system32\nvmctray.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 15:26 303104 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\reginaj\Start Menu\Programs\Startup\ drives.bat [2008-06-23 08:56:40 91] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-05-08 19:07:37 110592] Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-12 09:02:01 124400] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472] infoUSA VPN Client.lnk - C:\infoUSA\VPN Client\vpngui.exe [2008-05-08 16:10:00 1426424] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "SENTINEL"= snti386.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\group policy\state\S-1-5-21-3658379808-1708799015-1379952707-29693\Scripts\Logon\0\0] "Script"=\\Wile\NETLOGON\ULite\ULite33 App.vbs [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLAR TL_M.SYS [2006-08-11 10:35] R2 CA_LIC_CLNT;CA License Client;C:\CA_LIC\lic98rmt.exe [2003-10-12 10:20] R2 LogWatch;Event Log Watch;C:\CA_LIC\LogWatNT.exe [2002-09-20 07:29] R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmi rage.sys [2005-11-25 17:43] R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.s ys [2007-11-19 17:01] R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;C:\WINDOWS\system32\DRIVERS\nwdelmdm.sys [2007-11-02 15:41] R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwdelser.sys [2007-11-02 15:41] S2 msjetwod;Windows All Device Management Services;C:\WINDOWS\system32\msjetwo.exe [2004-08-04 00:56] S3 CA_LIC_SRVR;CA License Server;C:\CA_LIC\lic98rmtd.exe [2003-04-07 06:45] S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-06-14 14:57] S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 05:45] S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 05:45] S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 05:45] S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 19:30] S3 vsinstdv;vsinstdv;C:\DOCUME~1\reginaj\LOCALS~1\Tem p\{61B245E9-100A-46E9-8760-31EBEC18F586}\vsinstdv.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://edition.cnn.com/US/ O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************ ******************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-29 11:04:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\CSGina.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\scardsvr.exe C:\infoUSA\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\Hummbird\inetd32.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\oracle\product\10.2.0\client_1\BIN\omtsreco.exe C:\Program Files\McAfee\Common Framework\naPrdMgr.exe C:\WINDOWS\system32\stacsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\McAfee\Common Framework\Mctray.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe . ********************************************** ********************** . Completion time: 2008-08-29 11:10:36 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-29 16:10:32 Pre-Run: 95,414,767,616 bytes free Post-Run: 95,680,667,648 bytes free 177 --- E O F --- 2008-08-23 07:06:35 I reran combofix and the exe's were back again!

08-30-2008, 08:24 AM	#2 (permalink)
cohen Diamond Member Join Date: Jan 2008 Location: Melbourne, Australia Age: 15 Posts: 8,361	OK, well combo fix did a few deletions. Please do a scan with Kaspersky Online Scanner Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer. This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. In the drop down box labeled Files of type change the type to Text file. Save the file to your desktop. Copy and paste that information in your next post. also post a fresh hijackthis log Thanks, __________________ Cohen

08-31-2008, 02:44 AM	#4 (permalink)
cohen Diamond Member Join Date: Jan 2008 Location: Melbourne, Australia Age: 15 Posts: 8,361	OK, well there are a few things that are infected there and will need to be cleared up, so i'll leave that to ceewi1. Ceewi1 will post further instructions to clear up the problem. Cheers for now. __________________ Cohen

09-01-2008, 12:48 PM	#6 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 22 Posts: 5,418	Do you recognise and trust the sites in the following entries?: O15 - Trusted Zone: http://.bmc (HKLM) O15 - Trusted Zone: http://.goober (HKLM) O15 - ESC Trusted Zone: http://www.wise.com O15 - ESC Trusted Zone: http://www.wise.com (HKLM) If not, please run HijackThis place a check next to those entries and click on Fix checked. Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: C:\WINDOWS\system32\msjetwo.exe C:\WINDOWS\system32\msmbsr.exe Driver:: msjetwod vsinstdv Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. CAUTION: Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. Please click on Start -> Run. Type the following command and click OK: notepad "%userprofile%/Start Menu/Programs/Startup/drives.bat" This should open up a Notepad window, please copy and past the contents into your next reply. Please post The ComboFix log The Notepad document produced by running the above command A new HijackThis log An update on how your system is running now __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

09-04-2008, 01:26 PM	#8 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 22 Posts: 5,418	Great, please also delete this file if it exists: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7G7GT75T\msblk[1].bin I think it unlikely that these infections pose a threat to your personal info. I assume that you installed WinVNC yourself, it is a perfectly legitimate program, but if installed by someone else without your consent could allow them to access your files. There also appears to be the setup file for a keylogger on your computer: C:\Documents and Settings\reginaj\My Documents\Enterprise32V6\Code39\smart-keystroke-recorder-setup.exe. It does not appear to be installed, but if installed without your permission could compromise any personal information you enter. Below I have included some ideas on how to prevent future infections. Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer. Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure. As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program. Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs: Spybot-Search & Destroy A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running. SpywareBlaster A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here. SpywareGuard A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here. If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option. If you are interested, Firefox may be downloaded from here Opera is available here: http://www.opera.com/download/ Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

08-30-2008, 09:00 PM	#3 (permalink)
Runningonempty New Member Join Date: Aug 2008 Posts: 4	The exe's re-installed again so I re-ran ComboFix. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, August 30, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, August 30, 2008 16:36:58 Records in database: 1169408 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ P:\ U:\ X:\ Y:\ Scan statistics: Files scanned: 69739 Threat name: 7 Infected objects: 14 Suspicious objects: 0 Duration of the scan: 01:20:39 File name / Threat name / Threats count C:\Program Files\Orl\VNC\WinVNC.exe/C:\Program Files\Orl\VNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1 C:\Program Files\Orl\VNC\othread2.dll/C:\Program Files\Orl\VNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1 C:\Documents and Settings\reginaj\My Documents\Enterprise32V6\Code39\smart-keystroke-recorder-setup.exe Infected: not-a-virus:Monitor.Win32.SKRecorder.a 2 C:\Documents and Settings\reginaj\Yugma\lib\DskHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1 C:\Documents and Settings\reginaj\Yugma\lib\YugmaPlugin.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1 C:\Program Files\Orl\VNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1 C:\Program Files\Orl\VNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1 C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1 C:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1 C:\QooBox\Quarantine\C\WINDOWS\system32\oduxftw.sy s.vir Infected: Trojan-Clicker.Win32.VB.brv 1 C:\WINDOWS\system32\cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7G7GT75T\msblk[1].bin Infected: Trojan-Downloader.Win32.Delf.mxf 1 C:\WINDOWS\system32\msmbsr.exe Infected: Trojan-Downloader.Win32.Delf.mxf 1 The selected area was scanned. **************************** ________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:53, on 2008-08-30 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\CA_LIC\lic98rmt.exe C:\infoUSA\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\Hummbird\inetd32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\CA_LIC\LogWatNT.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\StacSV.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Orl\VNC\WinVNC.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\stsystra.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Dell\Dell Mobile Broadband\systray.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Dell\Dell Mobile Broadband\DMBCU.exe C:\PROGRA~1\Dell\DELLMO~1\Phoenix.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/US/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Orl\VNC\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: drives.bat O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: infoUSA VPN Client.lnk = C:\infoUSA\VPN Client\vpngui.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://.bmc (HKLM) O15 - Trusted Zone: http://.goober (HKLM) O15 - ESC Trusted Zone: http://www.wise.com O15 - ESC Trusted Zone: http://www.wise.com (HKLM) O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.infousa.com O17 - HKLM\Software\..\Telephony: DomainName = intra.infousa.com O17 - HKLM\System\CCS\Services\Tcpip\..\{71A227E0-18EA-490C-9AB6-28F1FE4165FC}: NameServer = 66.174.95.44 66.174.92.14 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.infousa.com O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\CA_LIC\lic98rmtd.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\infoUSA\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\system32\Hummbird\inetd32.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Windows All Device Management Services (msjetwod) - Unknown owner - C:\WINDOWS\system32\msjetwo.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WinVNC - RealVNC Ltd. - C:\Program Files\Orl\VNC\WinVNC.exe -- End of file - 9253 bytes

08-31-2008, 11:29 PM	#5 (permalink)
Runningonempty New Member Join Date: Aug 2008 Posts: 4	Okay. Thank you for your assistance. I'll await the next reply.

09-04-2008, 04:17 PM	#9 (permalink)
Runningonempty New Member Join Date: Aug 2008 Posts: 4	Thank you x3. Everything works great now. FireFox is now installed and I am putting the rest of your advice into action as I type.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode