I got some kind of infection on Friday, 3/28, and now my computer is running terribly slow and keeps trying to access the Internet. I have my computer disconnected from the network and am writing this from a coworker's computer.
I used Process Explorer to see what was being run by rundll32.exe, and one dll was mljgh.dll. Everytime I tried to stop it, it restarted itself.
I used msconfig to try to turn off all of the startup dll loadings. I noticed that a second startup of rundll32.exe loading with dpnxkbgb.dll was created.
I ran DSS once on Friday, and got the following listing. I am attaching the extra.txt file to this thread.
When I ran DSS again today, I got only the main.txt file, with no extra.txt file, so I wasn't sure if it was working properly. I am posting the second version of main.txt at the end of this posting.
Thanks for any help.
gnip gnop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the first run of DSS
It corresponds to the extra.txt file that is attached.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deckard's System Scanner v20071014.68
Run by Dan on 2008-03-28 13:47:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore -----------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
91: 2008-03-28 17:47:52 UTC - RP1451 - Deckard's System Scanner Restore Point
90: 2008-03-28 02:49:31 UTC - RP1450 - Last known good configuration
89: 2008-03-27 20:13:37 UTC - RP1449 - System Checkpoint
88: 2008-03-26 17:02:09 UTC - RP1448 - System Checkpoint
87: 2008-03-25 16:29:56 UTC - RP1447 - System Checkpoint
-- First Restore Point --
1: 2007-12-29 16:47:18 UTC - RP1361 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 510 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-28 13:58:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\Dan\Desktop\dss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
https://cris.nyserda.org/Dashboard/Login.aspx?
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://support.dell.com/entry/index....DS&appindex=DS
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19CD1086-CC34-478E-B428-B1222A3CD267} - C:\WINDOWS\SYSTEM32\mljgh.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\SYSTEM32\efcdbcb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {1f78eb00-006f-a488-ed54-6b409bb53808} - {80835bb9-04b6-45de-884a-f60000be87f1} - C:\WINDOWS\SYSTEM32\agjsmqab.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMb755e6d2] Rundll32.exe "C:\WINDOWS\system32\dpnxkbgb.dll",s
O4 - HKLM\..\Run: [b466d54e] rundll32.exe "C:\WINDOWS\system32\pjeqgrbw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) -
http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: efcdbcb - C:\WINDOWS\system32\efcdbcb.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\SYSTEM32
O23 - Service: Iomega App Services - Iomega Corporation - C:\Program Files\Iomega\System32\AppServices.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 6912 bytes
-- File Associations -----------------------------------------------------------
.scr - AutoCADLTScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Canon Driver Information Assist Service - "c:\program files\canon\dias\cnxdias.exe" <Not Verified; CANON INC.; Driver Information Assist Service>
S3 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - "c:\program files\iomega\autodisk\adservice.exe" <Not Verified; Iomega Corporation; Iomega Active Disk>
S3 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
S4 Iomega Activity Disk2 - ""
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2008-03-27 18:45:04 256 --a------ C:\WINDOWS\Tasks\Shutdown Computer.job
-- Files created between 2008-02-28 and 2008-03-28 -----------------------------
2008-03-28 10:58:15 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll
2008-03-28 10:55:15 89152 --a------ C:\WINDOWS\system32\pjeqgrbw.dll
2008-03-28 10:52:38 92736 --a------ C:\WINDOWS\system32\dpnxkbgb.dll
2008-03-27 22:49:14 305108 --ahs---- C:\WINDOWS\system32\hgjlm.ini2
2008-03-27 22:49:09 273920 --a------ C:\WINDOWS\system32\mljgh.dll
2008-03-27 21:49:08 273920 --a------ C:\WINDOWS\system32\geedc.dll
2008-03-27 20:49:07 273920 --a------ C:\WINDOWS\system32\mljge.dll
2008-03-27 19:49:06 273920 --a------ C:\WINDOWS\system32\vtsqn.dll
2008-03-27 18:49:05 273920 --a------ C:\WINDOWS\system32\vturo.dll
2008-03-27 17:49:04 273920 --a------ C:\WINDOWS\system32\ddccc.dll
2008-03-27 16:49:03 273920 --a------ C:\WINDOWS\system32\pmnll.dll
2008-03-27 15:49:04 273920 --a------ C:\WINDOWS\system32\gebyy.dll
2008-03-27 14:49:01 273920 --a------ C:\WINDOWS\system32\awtsp.dll
2008-03-27 13:49:07 273920 --a------ C:\WINDOWS\system32\pmnnk.dll
2008-03-27 13:12:40 0 d-------- C:\WINDOWS\pss
2008-03-27 12:46:35 273920 --a------ C:\WINDOWS\system32\awtqq.dll
2008-03-27 11:42:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-27 11:36:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:36:18 0 d-------- C:\Program Files\Spyware Doctor
2008-03-27 11:36:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-27 11:32:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-03-27 11:32:34 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-27 11:32:33 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-27 11:21:30 38400 --a------ C:\WINDOWS\system32\opnooli.dll
2008-03-27 11:18:30 32764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-27 11:18:09 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll
2008-03-21 16:13:13 1204224 --a------ C:\WINDOWS\system32\spr32d70.dll <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-03-21 16:12:58 0 d-------- C:\Program Files\eQUEST 3-6
2008-03-04 10:17:50 0 d-------- C:\Documents and Settings\Dan\Application Data\skypePM
2008-03-04 10:17:50 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files\Skype
-- Find3M Report ---------------------------------------------------------------
2008-03-28 09:51:37 0 d-------- C:\Program Files\LogMeIn
2008-03-27 11:25:24 0 d-------- C:\Documents and Settings\Dan\Application Data\Skype
2008-03-21 16:40:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 10:17:15 0 d-------- C:\Program Files\Skype
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files
2008-02-20 10:29:14 0 d-------- C:\Documents and Settings\Dan\Application Data\Adobe
2008-02-13 10:41:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-07 11:58:46 0 d-------- C:\Program Files\MSECache
2008-02-04 10:37:21 0 d-------- C:\Program Files\Bassline Software
2008-01-11 14:07:10 82765382 --a------ C:\WINDOWS\system32\SNAGIT6
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19CD1086-CC34-478E-B428-B1222A3CD267}]
03/27/2008 10:49 PM 273920 --a------ C:\WINDOWS\system32\mljgh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
03/27/2008 11:18 AM 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80835bb9-04b6-45de-884a-f60000be87f1}]
03/28/2008 10:58 AM 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/07/2003 01:19 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/07/2003 01:07 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 08:47 PM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/29/2007 05:29 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 03:56 AM]
"BMb755e6d2"="C:\WINDOWS\system32\dpnxkbgb.dll" [03/28/2008 10:52 AM]
"b466d54e"="C:\WINDOWS\system32\pjeqgrbw.dll" [03/28/2008 10:55 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\efcdbcb.dll [03/27/2008 11:18 AM 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb]
efcdbcb.dll 03/27/2008 11:18 AM 38400 C:\WINDOWS\SYSTEM32\efcdbcb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/21/2007 04:00 PM 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgh.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
"C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bassline WinPopUp]
C:\Program Files\Bassline Software\Popup\BslPopup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
"C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
"C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
*Newly Created Service* - PROCEXP111
-- End of Deckard's System Scanner: finished at 2008-03-28 14:01:01 ------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is today's run of DSS
No extra.txt file was created with this one.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deckard's System Scanner v20071014.68
Run by Other Taitemite on 2008-03-30 21:31:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 510 MiB (512 MiB recommended).
-- HijackThis Clone ------------------------------------------------------------
Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-30 21:33:49
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ESET\nod32kui.exe
C:\Documents and Settings\Dan\Desktop\dss.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\SYSTEM32\efcdbcb.dll
O2 - BHO: (no name) - {41CBC04E-CDDF-4530-AD84-56D47B481919} - C:\WINDOWS\SYSTEM32\mljgh.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {1f78eb00-006f-a488-ed54-6b409bb53808} - {80835bb9-04b6-45de-884a-f60000be87f1} - C:\WINDOWS\SYSTEM32\agjsmqab.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMb755e6d2] Rundll32.exe "C:\WINDOWS\system32\dpnxkbgb.dll",s
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) -
http://www.nymapper.com/ecwplugins/ncs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: efcdbcb - C:\WINDOWS\system32\efcdbcb.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\SYSTEM32
O23 - Service: Iomega App Services - Iomega Corporation - C:\Program Files\Iomega\System32\AppServices.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\ramaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 6054 bytes
-- Files created between 2008-02-29 and 2008-03-30 -----------------------------
2008-03-30 21:17:55 0 d-------- C:\Documents and Settings\Other Taitemite\Application Data\Adobe
2008-03-30 20:59:21 0 d-------- C:\327882R2FWJFW
2008-03-30 20:17:33 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-03-30 20:17:32 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-03-28 10:58:15 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll
2008-03-28 10:55:15 89152 --a------ C:\WINDOWS\system32\pjeqgrbw.dll
2008-03-28 10:52:38 92736 --a------ C:\WINDOWS\system32\dpnxkbgb.dll
2008-03-27 22:49:14 278665 --ahs---- C:\WINDOWS\system32\hgjlm.ini2
2008-03-27 22:49:09 273920 --a------ C:\WINDOWS\system32\mljgh.dll
2008-03-27 21:49:08 273920 --a------ C:\WINDOWS\system32\geedc.dll
2008-03-27 20:49:07 273920 --a------ C:\WINDOWS\system32\mljge.dll
2008-03-27 19:49:06 273920 --a------ C:\WINDOWS\system32\vtsqn.dll
2008-03-27 18:49:05 273920 --a------ C:\WINDOWS\system32\vturo.dll
2008-03-27 17:49:04 273920 --a------ C:\WINDOWS\system32\ddccc.dll
2008-03-27 16:49:03 273920 --a------ C:\WINDOWS\system32\pmnll.dll
2008-03-27 15:49:04 273920 --a------ C:\WINDOWS\system32\gebyy.dll
2008-03-27 14:49:01 273920 --a------ C:\WINDOWS\system32\awtsp.dll
2008-03-27 13:49:07 273920 --a------ C:\WINDOWS\system32\pmnnk.dll
2008-03-27 13:12:40 0 d-------- C:\WINDOWS\pss
2008-03-27 12:46:35 273920 --a------ C:\WINDOWS\system32\awtqq.dll
2008-03-27 11:42:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-27 11:36:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:36:18 0 d-------- C:\Program Files\Spyware Doctor
2008-03-27 11:36:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-27 11:32:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-03-27 11:32:34 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-27 11:32:34 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-27 11:32:34 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-27 11:32:34 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 11:32:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-03-27 11:32:34 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-27 11:32:33 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-27 11:21:30 38400 --a------ C:\WINDOWS\system32\opnooli.dll
2008-03-27 11:18:30 32764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-27 11:18:09 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll
2008-03-21 16:13:13 1204224 --a------ C:\WINDOWS\system32\spr32d70.dll <Not Verified; FarPoint Technologies, Inc.; Spread>
2008-03-21 16:12:58 0 d-------- C:\Program Files\eQUEST 3-6
2008-03-04 10:17:50 0 d-------- C:\Documents and Settings\Dan\Application Data\skypePM
2008-03-04 10:17:50 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files\Skype
-- Find3M Report ---------------------------------------------------------------
2008-03-30 00:04:21 0 d-------- C:\Program Files\LogMeIn
2008-03-21 16:40:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-04 10:17:15 0 d-------- C:\Program Files\Skype
2008-03-04 10:17:06 0 d-------- C:\Program Files\Common Files
2008-02-13 10:41:59 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-07 11:58:46 0 d-------- C:\Program Files\MSECache
2008-02-04 10:37:21 0 d-------- C:\Program Files\Bassline Software
2008-01-11 14:07:10 82765382 --a------ C:\WINDOWS\system32\SNAGIT6
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
03/27/2008 11:18 AM 38400 --a------ C:\WINDOWS\system32\efcdbcb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41CBC04E-CDDF-4530-AD84-56D47B481919}]
03/27/2008 10:49 PM 273920 --a------ C:\WINDOWS\system32\mljgh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{80835bb9-04b6-45de-884a-f60000be87f1}]
03/28/2008 10:58 AM 93760 --a------ C:\WINDOWS\system32\agjsmqab.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 08:47 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09/29/2007 05:29 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [08/04/2004 03:56 AM]
"BMb755e6d2"="C:\WINDOWS\system32\dpnxkbgb.dll" [03/28/2008 10:52 AM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\Other Taitemite\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\efcdbcb.dll [03/27/2008 11:18 AM 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcb]
efcdbcb.dll 03/27/2008 11:18 AM 38400 C:\WINDOWS\SYSTEM32\efcdbcb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/21/2007 04:00 PM 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgh.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
"C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b466d54e]
rundll32.exe "C:\WINDOWS\system32\pjeqgrbw.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bassline WinPopUp]
C:\Program Files\Bassline Software\Popup\BslPopup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMb755e6d2]
Rundll32.exe "C:\WINDOWS\system32\dpnxkbgb.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
"C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
"C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
"C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
-- End of Deckard's System Scanner: finished at 2008-03-30 21:36:02 ------------