mrtcombo Posted December 20, 2007 Report Share Posted December 20, 2007 Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 3:35:21 PM, on 12/20/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\LogWatNT.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\lpcywinp.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\winshow.exeC:\WINDOWS\io43mvuiw4kj.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.comF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exeO2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)O2 - BHO: (no name) - {180FBB4F-7847-425D-B906-ADF1352831C0} - C:\WINDOWS\system32\jkkjk.dll (file missing)O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)O2 - BHO: IDXHlprObj Class - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Systems Corporation\Web Framework\IDXIEController.dllO2 - BHO: (no name) - {37981273-8007-4055-8DF9-DE13EAE88A88} - C:\WINDOWS\system32\ddayv.dll (file missing)O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dllO2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)O2 - BHO: (no name) - {54277d5b-4957-44b7-a628-2dd962604b33} - C:\WINDOWS\system32\uffnfdi.dllO2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\ddcaxyw.dll (file missing)O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dllO2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\costtygd.dll (file missing)O2 - BHO: (no name) - {8DC2D87A-98BA-4FEB-BAAE-ED56F8CC5BA5} - C:\WINDOWS\system32\geedb.dll (file missing)O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\mljkjji.dll (file missing)O2 - BHO: (no name) - {8EB3A352-9A4E-4E65-902E-13282950ABBC} - \O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dllO2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinkndq.exe SKY009O4 - HKLM\..\Run: [80c4677c] rundll32.exe "C:\WINDOWS\system32\ktomypkd.dll",bO4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exeO4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com ad=http://spyguardpro.com sd=http://ykeeper.spyguardpro.comO4 - HKLM\..\Run: [ptask] C:\Program Files\SpyGuardPro\ptask.exeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/idxssl.cabO16 - DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} (Flowcast LDAP Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/FlowcastLDAP.cabO16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/icw.CABO16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/idxcsvr.cabO16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idxweb.upi.umaryland.edu/idxweb/IDX.../IDXBrowser.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = masbilling.comO17 - HKLM\Software\..\Telephony: DomainName = masbilling.comO17 - HKLM\System\CCS\Services\Tcpip\..\{AB5BB10E-3405-4EC0-A0BB-72D6B32BE617}: NameServer = 10.80.10.11,134.192.240.10O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = masbilling.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = upi.umaryland.eduO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = upi.umaryland.eduO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\sQusi\SQUSIT~1\sQusi20Stb.dllO20 - Winlogon Notify: ddcaxyw - ddcaxyw.dll (file missing)O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll (file missing)O20 - Winlogon Notify: mljkjji - mljkjji.dll (file missing)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe--End of file - 11682 bytes Quote Link to post Share on other sites
sarahw Posted December 20, 2007 Report Share Posted December 20, 2007 Hi,Welcome to the siteI will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.I want you to show hidden files. There are instructions HERE to help you do this.You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time. Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. Quote Link to post Share on other sites
sarahw Posted December 20, 2007 Report Share Posted December 20, 2007 Hi,Your computer is very infected.1.Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.2.Please download Deckard's System Scanner (DSS) and save it to your Desktop.Close all other windows before proceeding. Double-click on dss.exe and follow the prompts.When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Quote Link to post Share on other sites
mrtcombo Posted December 21, 2007 Author Report Share Posted December 21, 2007 Hi,Your computer is very infected.1.Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.2.Please download Deckard's System Scanner (DSS) and save it to your Desktop.Close all other windows before proceeding. Double-click on dss.exe and follow the prompts.When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.Deckard's System Scanner v20071014.68Run by Administrator on 2007-12-21 08:50:48Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2007-12-21 13:50:50 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.Total Physical Memory: 510 MiB (512 MiB recommended).-- HijackThis Clone ------------------------------------------------------------Emulating logfile of Trend Micro HijackThis v2.0.2Scan saved at 2007-12-21 08:52:18Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\system32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\LogWatNT.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exeC:\Program Files\ESET\nod32krn.exeC:\WINDOWS\system32\lpcywinp.exeC:\WINDOWS\explorer.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\system32\DLA\DLACTRLW.EXEC:\WINDOWS\winshow.exeC:\WINDOWS\io43mvuiw4kj.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Administrator\Desktop\dss.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dellR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/hws/sb/dell/en/side....amp;client=dellR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell/en/side....amp;client=dellR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&client=dellR1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ieR1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ieR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dellF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exeO2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)O2 - BHO: (no name) - {180FBB4F-7847-425D-B906-ADF1352831C0} - C:\WINDOWS\system32\jkkjk.dll (file missing)O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)O2 - BHO: IDXHlprObj Class - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Systems Corporation\Web Framework\IDXIEController.DLLO2 - BHO: (no name) - {37981273-8007-4055-8DF9-DE13EAE88A88} - C:\WINDOWS\system32\ddayv.dll (file missing)O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dllO2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {54277d5b-4957-44b7-a628-2dd962604b33} - C:\WINDOWS\system32\uffnfdi.dllO2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLLO2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\ddcaxyw.dll (file missing)O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dllO2 - BHO: (no name) - {8DC2D87A-98BA-4FEB-BAAE-ED56F8CC5BA5} - C:\WINDOWS\system32\geedb.dll (file missing)O2 - BHO: (no name) - {8EB3A352-9A4E-4E65-902E-13282950ABBC} - \O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\GoogleAFE\GoogleAE.dllO2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinkndq.exe SKY009O4 - HKLM\..\Run: [80c4677c] rundll32.exe "C:\WINDOWS\system32\ktomypkd.dll",bO4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/idxssl.cabO16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cabO16 - DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} (Flowcast LDAP Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/FlowcastLDAP.cabO16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/icw.CABO16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/idxcsvr.cabO16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idxweb.upi.umaryland.edu/idxweb/IDX.../IDXBrowser.cabO17 - HKLM\Software\..\Telephony: DomainName = masbilling.comO17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB5BB10E-3405-4EC0-A0BB-72D6B32BE617}: NameServer = 10.80.10.11,134.192.240.10O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = masbilling.comO17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: SearchList = upi.umaryland.eduO17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = masbilling.comO17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: SearchList = upi.umaryland.eduO18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLLO18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLLO18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLLO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\sQusi\SQUSIT~1\sQusi20Stb.dllO20 - Winlogon Notify: ddcaxyw - C:\WINDOWS\system32\ddcaxyw.dll (file missing)O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll (file missing)O20 - Winlogon Notify: mljkjji - C:\WINDOWS\system32\mljkjji.dll (file missing)O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe--End of file - 11307 bytes-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 LogWatch (Event Log Watch) - c:\windows\logwatnt.exeS3 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2007-12-14 18:30:00 358 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (STAT301-luensmanm).job-- Files created between 2007-11-21 and 2007-12-21 -----------------------------2007-12-21 08:27:17 0 d------c- C:\VundoFix Backups2007-12-21 08:25:16 30976 --a------ C:\WINDOWS\wbeCheck.exe2007-12-21 08:23:08 11520 --a------ C:\WINDOWS\system32\msole32.exe2007-12-21 08:23:06 13824 --a------ C:\WINDOWS\system32\wml.exe2007-12-21 08:22:03 8704 --a------ C:\WINDOWS\system32\ace16win.dll2007-12-21 08:22:02 18944 --a------ C:\WINDOWS\system32\vxddsk.exe2007-12-21 08:20:57 30720 --a------ C:\WINDOWS\764.exe2007-12-21 08:19:53 11264 --a------ C:\WINDOWS\7search.dll2007-12-21 08:18:51 8704 --a------ C:\WINDOWS\iexplorr23.dll2007-12-21 08:18:48 0 d-------- C:\Program Files\37212007-12-21 08:17:45 0 d-------- C:\Program Files\Accoona2007-12-20 15:51:00 20992 --a------ C:\WINDOWS\settn.dll2007-12-20 15:51:00 13568 --a------ C:\WINDOWS\pbsysie.dll2007-12-20 15:49:56 10496 --a------ C:\WINDOWS\kvnab.exe2007-12-20 15:49:56 10752 --a------ C:\WINDOWS\kvnab$.exe2007-12-20 15:49:56 28160 --a------ C:\WINDOWS\hcwprn.exe2007-12-20 15:49:55 18432 --a------ C:\WINDOWS\wbeInst$.exe2007-12-20 14:53:24 17408 --a------ C:\WINDOWS\pbar.dll2007-12-20 14:52:21 28928 --a------ C:\WINDOWS\wml.exe2007-12-20 14:52:21 9216 --a------ C:\WINDOWS\vxddsk.exe2007-12-20 14:51:19 16640 --a------ C:\WINDOWS\kvnab.dll2007-12-20 14:18:41 0 d--h----- C:\WINDOWS\system32\GroupPolicy2007-12-20 11:08:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-12-20 10:24:31 436066 ---hs---- C:\WINDOWS\system32\kjkkj.bak22007-12-20 09:06:31 0 d-------- C:\Program Files\DellSupport2007-12-20 08:58:24 0 d------c- C:\Documents and Settings\Administrator\Application Data\Macromedia2007-12-20 08:58:05 0 d------c- C:\Documents and Settings\Administrator\Application Data\Adobe2007-12-20 08:37:31 6522 --ahs---- C:\WINDOWS\system32\kjkkj.bak12007-12-20 08:24:10 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>2007-12-19 12:27:46 0 d-------- C:\Program Files\QdrPack2007-12-19 12:27:46 0 d-------- C:\Program Files\QdrDrive2007-12-19 12:27:45 0 d-------- C:\Program Files\ISM2007-12-19 12:16:39 438528 --ahs---- C:\WINDOWS\system32\lnnmp.bak12007-12-19 12:14:15 0 d--hs--c- C:\SpyGuardPro2007-12-19 12:13:50 0 d-------- C:\Documents and Settings\browne\Application Data\SpyGuardPro2007-12-19 12:13:43 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon2007-12-19 12:13:35 4 --a------ C:\WINDOWS\system32\stfv.bin2007-12-19 12:12:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio2007-12-19 12:12:23 30208 --a------ C:\WINDOWS\eventlowg.dll2007-12-19 12:12:23 10240 --a------ C:\WINDOWS\daxtime.dll2007-12-19 12:12:21 26112 --a------ C:\WINDOWS\liqui.dll2007-12-19 12:12:20 28928 --a------ C:\WINDOWS\xadbrk_.exe2007-12-19 12:12:20 17152 --a------ C:\WINDOWS\xadbrk.exe2007-12-19 12:12:20 18176 --a------ C:\WINDOWS\xadbrk.dll2007-12-19 12:12:20 26880 --a------ C:\WINDOWS\liqui-Uninstaller.exe2007-12-19 12:12:20 13824 --a------ C:\WINDOWS\liqui.exe2007-12-19 12:12:20 11264 --a------ C:\WINDOWS\fhfmm-Uninstaller.exe2007-12-19 12:12:20 25856 --a------ C:\WINDOWS\fhfmm.exe2007-12-19 12:12:19 19968 --a------ C:\WINDOWS\liqad.dll2007-12-19 12:12:19 18944 --a------ C:\WINDOWS\kkcomp.exe2007-12-19 12:12:19 26368 --a------ C:\WINDOWS\kkcomp.dll2007-12-19 12:12:19 25344 --a------ C:\WINDOWS\kkcomp$.exe2007-12-19 12:12:18 15104 --a------ C:\WINDOWS\liqad.exe2007-12-19 12:12:18 29184 --a------ C:\WINDOWS\liqad$.exe2007-12-19 12:12:17 22272 --a------ C:\WINDOWS\cbinst$.exe2007-12-19 12:12:13 12544 --a------ C:\WINDOWS\adbar.dll2007-12-19 12:12:12 20224 --a------ C:\WINDOWS\spredirect.dll2007-12-19 12:12:12 32768 --a------ C:\WINDOWS\jd2002.dll2007-12-19 12:12:11 16640 --a------ C:\WINDOWS\system32\ESHOPEE.exe2007-12-19 12:12:11 0 d-------- C:\Program Files\e-zshopper2007-12-19 12:12:09 0 d-------- C:\Program Files\amsys2007-12-19 12:12:08 8960 --a------ C:\WINDOWS\aconti.exe2007-12-19 12:12:07 28672 --a------ C:\WINDOWS\ie_32.exe2007-12-19 12:12:05 0 d-------- C:\WINDOWS\system32\acespy2007-12-19 12:12:04 22016 --a------ C:\WINDOWS\xxxvideo.exe2007-12-19 12:12:04 23296 --a------ C:\WINDOWS\ngd.dll2007-12-19 12:12:04 19712 --a------ C:\WINDOWS\hotporn.exe2007-12-19 12:12:04 11008 --a------ C:\WINDOWS\dp0.dll2007-12-19 12:12:03 0 d-------- C:\Program Files\p2pnetworks2007-12-19 12:12:02 0 d-------- C:\Program Files\akl2007-12-19 12:11:58 8448 --a------ C:\WINDOWS\flt.dll2007-12-19 11:21:24 0 d-------- C:\Program Files\Spruce2007-12-19 11:21:06 12 --a------ C:\WINDOWS\system32\dpqaqlqx.bin2007-12-19 11:20:40 108551 --a------ C:\WINDOWS\system32\lpcywinp.exe <Not Verified; Microsoft; _>2007-12-19 11:20:39 21504 --a------ C:\WINDOWS\system32\egmulhxk.dll <Not Verified; Microsoft; Windows Explorer cdrom optimizer>2007-12-19 11:18:18 0 d-------- C:\WINDOWS\system32\ineWc022007-12-19 11:18:04 36352 --a------ C:\WINDOWS\winshow.exe <Not Verified; ; winshow>2007-12-18 10:35:32 0 d-------- C:\WINDOWS\network diagnostic2007-12-18 10:16:59 0 d-------- C:\Program Files\MSXML 6.02007-12-17 11:42:04 0 d-------- C:\Program Files\Reference Assemblies2007-12-17 11:14:55 0 d-------- C:\WINDOWS\SxsCaPendDel2007-12-07 08:48:38 0 d-------- C:\Program Files\Windows Media Connect 22007-12-07 08:45:47 0 d-------- C:\WINDOWS\system32\drivers\UMDF2007-12-05 12:31:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg72007-12-04 09:42:40 299008 --a------ C:\WINDOWS\b148.exe2007-11-30 11:10:30 0 dr-h----- C:\Documents and Settings\LocalService\Recent2007-11-27 13:02:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Sun2007-11-26 09:32:56 0 d-------- C:\Documents and Settings\LocalService\My Documents-- Find3M Report ---------------------------------------------------------------2007-12-20 11:55:21 0 d-------- C:\Program Files\Common Files2007-12-20 10:35:02 0 d-------- C:\Program Files\IDX Systems Corporation2007-12-20 10:33:53 0 d-------- C:\Program Files\Common Files\AOL2007-12-20 09:26:01 0 d--h---c- C:\Documents and Settings\Administrator\Application Data\Gtek2007-12-20 08:27:12 0 d-------- C:\Program Files\CA2007-12-18 10:45:00 0 d-------- C:\Program Files\Google2007-12-18 09:07:22 0 d-------- C:\Program Files\Microsoft ActiveSync2007-12-06 11:45:51 0 d-------- C:\Program Files\Insider2007-11-16 12:20:44 208896 --a------ C:\WINDOWS\io43mvuiw4kj.exe <Not Verified; ; io43mvuiw4kj>2007-11-13 08:45:59 451137 --ahs---- C:\WINDOWS\system32\vyadd.ini22007-11-13 08:30:38 472076 --ahs---- C:\WINDOWS\system32\vyadd.bak22007-11-12 03:11:53 457424 --ahs---- C:\WINDOWS\system32\vyadd.bak12007-11-05 10:58:58 0 d-------- C:\Program Files\WinAble2007-11-01 08:58:18 0 d-------- C:\Program Files\Temporary2007-11-01 07:27:13 171520 --a------ C:\WINDOWS\system32\uffnfdi.dll-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{180FBB4F-7847-425D-B906-ADF1352831C0}] C:\WINDOWS\system32\jkkjk.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37981273-8007-4055-8DF9-DE13EAE88A88}] C:\WINDOWS\system32\ddayv.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}]12/19/2007 11:20 AM 21504 --a------ C:\WINDOWS\system32\egmulhxk.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54277d5b-4957-44b7-a628-2dd962604b33}]11/01/2007 07:27 AM 171520 --a------ C:\WINDOWS\system32\uffnfdi.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]11/29/2007 10:28 AM 401408 --a------ C:\Program Files\Spruce\Spruce.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}] C:\WINDOWS\system32\ddcaxyw.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}]10/27/2007 03:54 PM 192512 --a------ C:\Program Files\QdrDrive\QdrDrive8.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DC2D87A-98BA-4FEB-BAAE-ED56F8CC5BA5}] C:\WINDOWS\system32\geedb.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EB3A352-9A4E-4E65-902E-13282950ABBC}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 08:42 PM]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/05/2005 08:22 PM]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/05/2005 08:19 PM]"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/05/2005 08:23 PM]"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 06:48 PM]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/02/2006 08:06 PM]"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" []"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 06:20 AM]"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [08/12/2005 03:16 PM]"ExploreUpdSched"="C:\WINDOWS\system32\nwinkndq.exe" []"80c4677c"="C:\WINDOWS\system32\ktomypkd.dll" []"winshow"="C:\WINDOWS\winshow.exe" [12/19/2007 11:18 AM]"io43mvuiw4kj"="C:\WINDOWS\io43mvuiw4kj.exe" [11/16/2007 12:20 PM]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [12/20/2007 08:23 AM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [5/3/2005 11:07:32 PM][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableTaskMgr"=1 (0x1)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= C:\WINDOWS\system32\ddcaxyw.dll [ ][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Userinit"="C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaxyw] ddcaxyw.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geedb] C:\WINDOWS\system32\geedb.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkjji] mljkjji.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\sQusi\SQUSIT~1\sQusi20Stb.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\ddayv-- Hosts -----------------------------------------------------------------------127.0.0.1 007guard.com127.0.0.1 www.007guard.com127.0.0.1 008i.com127.0.0.1 008k.com127.0.0.1 www.008k.com127.0.0.1 00hq.com127.0.0.1 www.00hq.com127.0.0.1 010402.com127.0.0.1 032439.com127.0.0.1 www.032439.com7790 more entries in hosts file.-- End of Deckard's System Scanner: finished at 2007-12-21 08:52:55 ------------VundoFix V6.7.7Checking Java version...Java version is 1.4.2.3Old versions of java are exploitable and should be removed.Scan started at 8:27:17 AM 12/21/2007Listing files found while scanning....C:\WINDOWS\system32\bdeeg.bak1C:\WINDOWS\system32\bdeeg.bak2C:\WINDOWS\system32\bdeeg.iniC:\WINDOWS\system32\bdeeg.ini2C:\WINDOWS\system32\bdeeg.tmpC:\WINDOWS\system32\costtygd.dllC:\WINDOWS\system32\geedb.dllC:\WINDOWS\system32\mljkjji.dllBeginning removal... Attempting to delete C:\WINDOWS\system32\bdeeg.bak1C:\WINDOWS\system32\bdeeg.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\bdeeg.bak2C:\WINDOWS\system32\bdeeg.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\bdeeg.iniC:\WINDOWS\system32\bdeeg.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\bdeeg.ini2C:\WINDOWS\system32\bdeeg.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\bdeeg.tmpC:\WINDOWS\system32\bdeeg.tmp Has been deleted!Performing Repairs to the registry.Done!Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 8:55:57 AM, on 12/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\LogWatNT.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\lpcywinp.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\WINDOWS\winshow.exeC:\WINDOWS\io43mvuiw4kj.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\WINDOWS\notepad.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.comF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exeO2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)O2 - BHO: (no name) - {180FBB4F-7847-425D-B906-ADF1352831C0} - C:\WINDOWS\system32\jkkjk.dll (file missing)O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)O2 - BHO: IDXHlprObj Class - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Systems Corporation\Web Framework\IDXIEController.dllO2 - BHO: (no name) - {37981273-8007-4055-8DF9-DE13EAE88A88} - C:\WINDOWS\system32\ddayv.dll (file missing)O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINDOWS\system32\egmulhxk.dllO2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {54277d5b-4957-44b7-a628-2dd962604b33} - C:\WINDOWS\system32\uffnfdi.dllO2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\ddcaxyw.dll (file missing)O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dllO2 - BHO: (no name) - {8DC2D87A-98BA-4FEB-BAAE-ED56F8CC5BA5} - C:\WINDOWS\system32\geedb.dll (file missing)O2 - BHO: (no name) - {8EB3A352-9A4E-4E65-902E-13282950ABBC} - \O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dllO2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinkndq.exe SKY009O4 - HKLM\..\Run: [80c4677c] rundll32.exe "C:\WINDOWS\system32\ktomypkd.dll",bO4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/idxssl.cabO16 - DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} (Flowcast LDAP Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/FlowcastLDAP.cabO16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/icw.CABO16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://idxweb.upi.umaryland.edu/IDXICW/IDXM/idxcsvr.cabO16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idxweb.upi.umaryland.edu/idxweb/IDX.../IDXBrowser.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = masbilling.comO17 - HKLM\Software\..\Telephony: DomainName = masbilling.comO17 - HKLM\System\CCS\Services\Tcpip\..\{AB5BB10E-3405-4EC0-A0BB-72D6B32BE617}: NameServer = 10.80.10.11,134.192.240.10O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = masbilling.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = upi.umaryland.eduO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = upi.umaryland.eduO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\sQusi\SQUSIT~1\sQusi20Stb.dllO20 - Winlogon Notify: ddcaxyw - ddcaxyw.dll (file missing)O20 - Winlogon Notify: geedb - C:\WINDOWS\system32\geedb.dll (file missing)O20 - Winlogon Notify: mljkjji - mljkjji.dll (file missing)O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe--End of file - 10136 bytes Quote Link to post Share on other sites
sarahw Posted December 22, 2007 Report Share Posted December 22, 2007 Hi,Download ComboFix from Here or Here to your Desktop.Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.