Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Trojan-Spy.Win32.Agent.bahu
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 11-02-2009, 02:30 PM   #1 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Trojan-Spy.Win32.Agent.bahu
ive tried to get a highjack this report, dds, rootrepeal and they all start but disapear and produce no reports..

i was able to get a SRengLOG.log report and a kaspersky report of the viruses..

any help would be greatly appreciated

kaspersky report

Monday, November 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 02, 2009 13:16:38
Records in database: 3114711


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
G:\
I:\

Scan statistics
Objects scanned 117367
Threats found 3
Infected objects found 49
Suspicious objects found 0
Scan duration 02:45:33

File name Threat Threats count
svchost.exe\407134DE.x86.dll/svchost.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 4

globalroot\Device\__max++>\407134DE.x86.dll/globalroot\Device\__max++>\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 24

spoolsv.exe\407134DE.x86.dll/spoolsv.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

AppleMobileDeviceService.exe\407134DE.x86.dll/AppleMobileDeviceService.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

mDNSResponder.exe\407134DE.x86.dll/mDNSResponder.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

ehSched.exe\407134DE.x86.dll/ehSched.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

jqs.exe\407134DE.x86.dll/jqs.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

KService.exe\407134DE.x86.dll/KService.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

sprtsvc.exe\407134DE.x86.dll/sprtsvc.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

mcrdsvc.exe\407134DE.x86.dll/mcrdsvc.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

alg.exe\407134DE.x86.dll/alg.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

sprtcmd.exe\407134DE.x86.dll/sprtcmd.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

explorer.exe\407134DE.x86.dll/explorer.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

msimn.exe\407134DE.x86.dll/msimn.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

iexplore.exe\407134DE.x86.dll/iexplore.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 5

bittorrent.exe\407134DE.x86.dll/bittorrent.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

java.exe\407134DE.x86.dll/java.exe\407134DE.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2A4C3EDD.htm Infected: Trojan-Downloader.HTML.Agent.is 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PURW5IR\798[1].pdf Infected: Exploit.JS.Pdfka.nl 1

Selected area has been scanned.


SRengLOG.log report

Code:
2009-11-02,06:46:50

System Repair Engineer 2.8.1.1279
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 3 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been selected:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Running Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File
    Process Privileges Scan
    Scheduled Tasks
    Windows Security Update Check
    API HOOK
    Hidden Process


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Windows Component Publisher]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
    <DellSupportCenter><"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter>  [(Verified)Dell Inc.]
    <ISUSPM><"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler>  [(Verified)Macrovision Corporation]
    <BitTorrent DNA><"C:\Program Files\DNA\btdna.exe">  [(Verified)BitTorrent Inc]
    <Aim6><>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <ehTray><C:\WINDOWS\ehome\ehtray.exe>  [Microsoft Corporation]
    <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <DMXLauncher><C:\Program Files\Dell\Media Experience\DMXLauncher.exe>  []
    <DLA><C:\WINDOWS\System32\DLA\DLACTRLW.EXE>  [Sonic Solutions]
    <ISUSPM Startup><"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup>  [(Verified)Macrovision Corporation]
    <ISUSScheduler><"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start>  [(Verified)Acresso Software Inc.]
    <hpqSRMon><C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe>  [Hewlett-Packard]
    <SigmatelSysTrayApp><stsystra.exe>  [SigmaTel, Inc.]
    <Kernel and Hardware Abstraction Layer><KHALMNPR.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <DigidesignMMERefresh><C:\Program Files\Digidesign\Drivers\MMERefresh.exe>  [Digidesign, A Division of Avid Technology, Inc.]
    <dscactivate><"C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe">  [ ]
    <DellSupportCenter><"C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter>  [(Verified)Dell Inc.]
    <Logitech Hardware Abstraction Layer><KHALMNPR.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <AppleSyncNotifier><C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe>  [(Verified)Apple Inc.]
    <HP Software Update><C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe>  [(Verified)Hewlett-Packard Company]
    <SunJavaUpdateSched><"C:\Program Files\Java\jre6\bin\jusched.exe">  [(Verified)"Sun Microsystems, Inc."]    
    <QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Inc.]
    <iTunesHelper><"C:\Program Files\iTunes\iTunesHelper.exe">  [(Verified)Apple Inc.]
    <Adobe Reader Speed Launcher><"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe">  [(Verified)"Adobe Systems, Incorporated"]    
    <Adobe ARM><"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe">  [(Verified)"Adobe Systems, Incorporated"]    
    <bacstray><C:\Program Files\Broadcom\BACS\BacsTray.exe>  [Broadcom Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><C:\WINDOWS\system32\webcheck.dll>  [(Verified)Microsoft Windows]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
    <UPnPMonitor><C:\WINDOWS\system32\upnpui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
    <WinlogonNotify: LBTWlgn><c:\program files\common files\logitech\bluetooth\LBTWlgn.dll>  [(Verified)Logitech]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    <Internet Explorer Version Update><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    <Browser Customizations><"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\KB910393]
    <KB910393><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{407408d4-94ed-4d86-ab69-a7f649d112ee}]
    <Media Center><%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    <N/A><c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
    <Fax><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\system32\logon.scr>  [(Verified)Microsoft Windows Component Publisher]

==================================
Startup Folders
[$McRebootA5E6DEAA56$]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk --> C:\WINDOWS\system32\cmd.exe [Microsoft Corporation]><N>

==================================
Services
[Apple Mobile Device / Apple Mobile Device][Running/Auto Start]
  <"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"><Apple Inc.>
[Bonjour Service / Bonjour Service][Running/Auto Start]
  <"C:\Program Files\Bonjour\mDNSResponder.exe"><Apple Inc.>
[Digidesign MME Refresh Service / DigiRefresh][Running/Auto Start]
  <C:\Program Files\Digidesign\Drivers\MMERefresh.exe -s><Digidesign, A Division of Avid Technology, Inc.>
[getPlus(R) Helper / getPlus(R) Helper][Stopped/Manual Start]
  <C:\Program Files\NOS\bin\getPlus_HelperSvc.exe><NOS Microsystems Ltd.>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPod Service / iPod Service][Stopped/Manual Start]
  <"C:\Program Files\iPod\bin\iPodService.exe"><Apple Inc.>
[Java Quick Starter / JavaQuickStarterService][Running/Auto Start]
  <"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"><Sun Microsystems, Inc.>
[KService / KService][Running/Auto Start]
  <"C:\Program Files\Kontiki\KService.exe"><>
[Lavasoft Ad-Aware Service / Lavasoft Ad-Aware Service][Stopped/Auto Start]
  <"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"><(File is missing)>
[Logitech Bluetooth Service / LBTServ][Stopped/Manual Start]
  <C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe><Logitech, Inc.>
[M-Audio Series II MIDI Installer / MA_CMIDI_InstallerService][Running/Auto Start]
  <C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe><>
[MHN / MHN][Stopped/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\mhn.dll><Microsoft Corporation>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[LiveShare P2P Server 9 / RoxLiveShare9][Stopped/Auto Start]
  <"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe"><(File is missing)>
[SupportSoft Sprocket Service (dellsupportcenter) / sprtsvc_dellsupportcenter][Running/Auto Start]
  <C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter><SupportSoft, Inc.>
[Symantec Core LC / Symantec Core LC][Running/Auto Start]
  <"C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"><>

==================================
Drivers
[AliIde / AliIde][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\aliide.sys><Acer Laboratories Inc.>
[AMD AGP Bus Filter Driver / amdagp][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\amdagp.sys><Advanced Micro Devices, Inc.>
[asc / asc][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\asc.sys><Advanced System Products, Inc.>
[asc3550 / asc3550][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\asc3550.sys><Advanced System Products, Inc.>
[Broadcom NetXtreme Gigabit Ethernet / b57w2k][Running/Manual Start]
  <system32\DRIVERS\b57xp32.sys><Broadcom Corporation>
[CmdIde / CmdIde][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[dac2w2k / dac2w2k][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\dac2w2k.sys><Mylex Corporation>
[dal service / dalwdmservice][Stopped/Manual Start]
  <system32\drivers\dalwdm.sys><Digidesign, A Division of Avid Technology, Inc.>
[DigiFilter / DigiFilter][Running/Boot Start]
  <\SystemRoot\system32\drivers\DigiFilt.sys><Digidesign, A Division of Avid Technology, Inc.>
[Digidesign Ethernet Support / DigiNet][Running/Auto Start]
  <system32\DRIVERS\diginet.sys><Digidesign, A Division of Avid Technology, Inc.>
[DLABOIOM / DLABOIOM][Running/Auto Start]
  <System32\DLA\DLABOIOM.SYS><Sonic Solutions>
[DLACDBHM / DLACDBHM][Running/System Start]
  <System32\Drivers\DLACDBHM.SYS><Sonic Solutions>
[DLADResN / DLADResN][Running/Auto Start]
  <System32\DLA\DLADResN.SYS><Sonic Solutions>
[DLAIFS_M / DLAIFS_M][Running/Auto Start]
  <System32\DLA\DLAIFS_M.SYS><Sonic Solutions>
[DLAOPIOM / DLAOPIOM][Running/Auto Start]
  <System32\DLA\DLAOPIOM.SYS><Sonic Solutions>
[DLAPoolM / DLAPoolM][Running/Auto Start]
  <System32\DLA\DLAPoolM.SYS><Sonic Solutions>
[DLARTL_N / DLARTL_N][Running/System Start]
  <System32\Drivers\DLARTL_N.SYS><Sonic Solutions>
[DLAUDFAM / DLAUDFAM][Running/Auto Start]
  <System32\DLA\DLAUDFAM.SYS><Sonic Solutions>
[DLAUDF_M / DLAUDF_M][Running/Auto Start]
  <System32\DLA\DLAUDF_M.SYS><Sonic Solutions>
[DRVMCDB / DRVMCDB][Running/Boot Start]
  <\SystemRoot\System32\Drivers\DRVMCDB.SYS><Sonic Solutions>
[DRVNDDM / DRVNDDM][Running/Auto Start]
  <System32\Drivers\DRVNDDM.SYS><Sonic Solutions>
[Intel(R) PRO Adapter Driver / E100B][Stopped/Manual Start]
  <system32\DRIVERS\e100b325.sys><Intel Corporation>
[Symantec Eraser Control driver / eeCtrl][Running/System Start]
  <\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys><Symantec Corporation>
[GEAR ASPI Filter Driver / GEARAspiWDM][Running/Manual Start]
  <System32\Drivers\GEARAspiWDM.sys><GEAR Software Inc.>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[IEEE-1284.4 Driver HPZid412 / HPZid412][Stopped/Manual Start]
  <system32\DRIVERS\HPZid412.sys><HP>
[Print Class Driver for IEEE-1284.4 HPZipr12 / HPZipr12][Stopped/Manual Start]
  <system32\DRIVERS\HPZipr12.sys><HP>
[USB to IEEE-1284.4 Translation Driver HPZius12 / HPZius12][Stopped/Manual Start]
  <system32\DRIVERS\HPZius12.sys><HP>
[Logitech SetPoint Keyboard Driver / L8042Kbd][Stopped/Manual Start]
  <system32\DRIVERS\L8042Kbd.sys><Logitech Inc.>
[SetPoint PS/2 Mouse Filter Driver / L8042mou][Stopped/Manual Start]
  <system32\DRIVERS\L8042mou.Sys><Logitech, Inc.>
[Lbd / Lbd][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\Lbd.sys><Lavasoft AB>
[Logitech SetPoint KMDF HID Filter Driver / LHidFilt][Running/Manual Start]
  <system32\DRIVERS\LHidFilt.Sys><Logitech, Inc.>
[Logitech SetPoint KMDF Mouse Filter Driver / LMouFilt][Running/Manual Start]
  <system32\DRIVERS\LMouFilt.Sys><Logitech, Inc.>
[SetPoint Mouse Filter Driver / LMouKE][Stopped/Manual Start]
  <system32\DRIVERS\LMouKE.Sys><Logitech, Inc.>
[M-Audio USB Driver / MA_CMIDI][Stopped/Manual Start]
  <system32\drivers\ma_cmidi.sys><M-Audio>
[Driver for MagicISO SCSI Host Controller / mcdbus][Running/Manual Start]
  <system32\DRIVERS\mcdbus.sys><MagicISO, Inc.>
[MHN driver / MHNDRV][Stopped/Manual Start]
  <system32\DRIVERS\mhndrv.sys><Microsoft Corporation>
[mraid35x / mraid35x][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\mraid35x.sys><American Megatrends Inc.>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nvatabus / nvatabus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvatabus.sys><NVIDIA Corporation>
[NVIDIA nForce(tm) RAID Class Driver / nvraid][Stopped/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvraid.sys><NVIDIA Corporation>
[PCD5SRVC{3F6A8B78-EC003E00-05040000} - PCDR Kernel Mode Service Helper Driver / PCD5SRVC{3F6A8B78-EC003E00-05040000}][Stopped/Manual Start]
  <\??\C:\PROGRA~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms><PC-Doctor, Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[ql1080 / ql1080][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\ql1080.sys><QLogic Corporation>
[ql12160 / ql12160][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\ql12160.sys><QLogic Corporation>
[ql1280 / ql1280][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\ql1280.sys><QLogic Corporation>
[BlackBerry Smartphone / RimUsb][Stopped/Manual Start]
  <System32\Drivers\RimUsb.sys><N/A>
[RIM Virtual Serial Port v2 / RimVSerPort][Running/Manual Start]
  <system32\DRIVERS\RimSerial.sys><Research in Motion Ltd>
[rootrepeal / rootrepeal][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\rootrepeal.sys><N/A>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[SIS AGP Bus Filter / sisagp][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[Sparrow / Sparrow][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\sparrow.sys><Adaptec, Inc.>
[SigmaTel High Definition Audio CODEC / STHDA][Running/Manual Start]
  <system32\drivers\sthda.sys><SigmaTel, Inc.>
[symc810 / symc810][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\symc8xx.sys><LSI Logic>
[SYMIDSCO / SYMIDSCO][Stopped/Manual Start]
  <\??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20080806.002\symidsco.sys><N/A>
[symlcbrd / symlcbrd][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\symlcbrd.sys><Symantec Corporation>
[sym_hi / sym_hi][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\sym_u3.sys><LSI Logic>
[ultra / ultra][Stopped/Disabled]
  <\SystemRoot\system32\DRIVERS\ultra.sys><Promise Technology, Inc.>
[WAN Miniport (ATW) / wanatw][Stopped/Manual Start]
  <system32\DRIVERS\wanatw4.sys><N/A>

==================================
Browser Add-ons
[&Yahoo! Toolbar Helper]
  {02478D38-C3F9-4efb-9B51-7695ECA05670} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll, (Signed) Yahoo! Inc.>
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[Adobe PDF Link Helper]
  {18DF081C-E8AD-4283-A596-FA578C2EBDC3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll, (Signed) Adobe Systems Incorporated>
[DriveLetterAccess]
  {5CA3D70E-1895-11CF-8E15-001234567890} <C:\WINDOWS\System32\DLA\DLASHX_W.DLL, Sonic Solutions>
[Java(tm) Plug-In 2 SSV Helper]
  {DBC80044-A445-435b-BC74-9C25C1C588A9} <C:\Program Files\Java\jre6\bin\jp2ssv.dll, (Signed) Sun Microsystems, Inc.>
[JQSIEStartDetectorImpl Class]
  {E7E6F031-17CE-4C07-BC86-EABFE594F69C} <C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll, Sun Microsystems, Inc.>
[SingleInstance Class]
  {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll, (Signed) Yahoo! Inc>
[Send to OneNote from Internet Explorer button]
  {2670000A-7350-4f3c-8081-5663EE0C6C49} <C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll, (Signed) Microsoft Corporation>
[PokerStars]
  {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} <C:\Program Files\PokerStars\PokerStarsUpdate.exe, (Signed) PokerStars>
[&Research]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[Real.com]
  {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} <C:\WINDOWS\system32\Shdocvw.dll, (Signed) Microsoft Corporation>
[]
  {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, (Signed) N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll, (Signed) Yahoo! Inc.>
[System Requirements Lab Class]
  {40F576AD-8680-4F9E-9490-99D069CD665F} <C:\Program Files\SystemRequirementsLab\sysreqlabdetect.dll, (Signed) Husdawg, LLC>
[MSN Photo Upload Tool]
  {4F1E5B1A-2A80-42CA-8532-2D05CB959537} <C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, (Signed) Microsoft® Corporation>
[]
  {5A9D4578-6649-4692-921B-ACA9ADAB007C} <, >
[MUCatalogWebControl Class]
  {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} <C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll, (Signed) Microsoft Corporation>
[ContactExtractor Class]
  {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} <C:\WINDOWS\Downloaded Program Files\contactx.dll, (Signed) Facebook>
[Facebook Photo Uploader 5 Control]
  {8100D56A-5661-482C-BEE8-AFECE305D968} <C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx, (Signed) The Facebook>
[Java Plug-in 1.6.0_15]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[]
  {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} <, >
[Get_ActiveX Control]
  {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} <C:\WINDOWS\DOWNLO~1\HPGETD~1.OCX, (Signed) Netopsystems AG>
[Java Plug-in 1.5.0_06]
  {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[Java Plug-in 1.6.0_15]
  {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[Java Plug-in 1.6.0_15]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_15.dll, (Signed) Sun Microsystems, Inc.>
[MediaControl Class]
  {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} <C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaControl.dll, (Signed) Entriq, Inc.>
[get_atlcom Class]
  {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} <C:\WINDOWS\Downloaded Program Files\gp.ocx, (Signed) NOS Microsystems Ltd.>
[McFreeScan Class]
  {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} <C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll, (Signed) McAfee, Inc.>
[]
  {00000000-0000-0000-0000-000000000000} <, >
[]
  {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} <, >
[SupportSoft Script Runner Class]
  {01012101-5E80-11D8-9E86-0007E96C65AE} <C:\Program Files\Common Files\supportsoft\bin\tgctlsr.dll, (Signed) SupportSoft, Inc.>
[&Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll, (Signed) Yahoo! Inc.>
[Microsoft Office Template and Media Control]
  {02BCC737-B171-4746-94C9-0D8A0B2C0089} <C:\PROGRA~1\MICROS~4\Office12\IEAWSDC.DLL, (Signed) >
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, (Signed) Apple Inc.>
[]
  {03F998B2-0E00-11D3-A498-00104B6EB52E} <, >
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <, >
[]
  {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} <, >
[]
  {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} <, >
[PeerDraw Class]
  {10072CEC-8CC1-11D1-986E-00A0C955B42E} <%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll, (Signed) N/A>
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, (Signed) Microsoft Corporation>
[Adobe PDF Link Helper]
  {18DF081C-E8AD-4283-A596-FA578C2EBDC3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll, (Signed) Adobe Systems Incorporated>
[InformationCardSigninHelper Class]
  {19916E01-B44E-4E31-94A4-4696DF46157B} <C:\WINDOWS\system32\icardie.dll, (Signed) Microsoft Corporation>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, (Signed) Microsoft Corporation>
[]
  {2318C2B1-4965-11D4-9B18-009027A5CD4F} <, >
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, (Signed) Microsoft Corporation>
[]
  {2670000A-7350-4F3C-8081-5663EE0C6C49} <, >
[XML DOM Document]
  {2933BF90-7B36-11D2-B20E-00C04F983E60} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[]
  {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} <, >
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, (Signed) Microsoft Corporation>
[]
  {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF} <, >
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, (Signed) Microsoft Corporation>
[]
  {31435657-9980-0010-8000-00AA00389B71} <, >
[IETag Factory]
  {38481807-CA0E-42D2-BF39-B33AF135CC4D} <C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\IETAG.DLL, (Signed) Microsoft Corporation>
[]
  {3AD14F0C-ED16-4E43-B6D8-661B03F6A1EF} <, >
[QuickTime Object]
  {4063BE15-3B08-470D-A0D5-B37161CFFD69} <C:\Program Files\QuickTime\QTPlugin.ocx, (Signed) Apple Inc.>
[System Requirements Lab Class]
  {40F576AD-8680-4F9E-9490-99D069CD665F} <C:\Program Files\SystemRequirementsLab\sysreqlabdetect.dll, (Signed) Husdawg, LLC>
[]
  {472734EA-242A-422B-ADF8-83D1E48CC825} <, >
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {4EDCB26C-D24C-4e72-AF07-B576699AC0DE} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[MSN Photo Upload Tool]
  {4F1E5B1A-2A80-42CA-8532-2D05CB959537} <C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, (Signed) Microsoft® Corporation>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <, >
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[MUCatalogWebControl Class]
  {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} <C:\WINDOWS\system32\MicrosoftUpdateCatalogWebControl.dll, (Signed) Microsoft Corporation>
[DriveLetterAccess]
  {5CA3D70E-1895-11CF-8E15-001234567890} <C:\WINDOWS\System32\DLA\DLASHX_W.DLL, Sonic Solutions>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, (Signed) Microsoft Corporation>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[ContactExtractor Class]
  {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} <C:\WINDOWS\Downloaded Program Files\contactx.dll, (Signed) Facebook>
[MUWebControl Class]
  {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, (Signed) Microsoft Corporation>
[Active Desktop Mover]
  {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {7390f3d8-0439-4c05-91e3-cf5cb290c3d0} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {7584c670-2274-4efb-b00b-d6aaba6d3850} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <, >
[]
  {7DB2D5A0-7241-4E79-B68D-6309F01C5231} <, >
[Facebook Photo Uploader 5 Control]
  {8100D56A-5661-482C-BEE8-AFECE305D968} <C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx, (Signed) The Facebook>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[XML DOM Document 4.0]
  {88D969C0-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[XML HTTP 4.0]
  {88D969C5-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[XML DOM Document 6.0]
  {88D96A05-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document 6.0]
  {88D96A06-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[XSL Template 6.0]
  {88D96A08-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[XML HTTP 6.0]
  {88D96A0A-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[Java Plug-in 1.6.0_15]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[]
  {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} <, >
[Microsoft Terminal Services Client Control (redist)]
  {9059f30f-4eb1-4bd2-9fdc-36f43a218f4a} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[]
  {9ECB9560-04F9-4BBC-943D-298DDF1699E1} <, >
[]
  {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} <, >
[RMGetLicense Class]
  {A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, (Signed) Microsoft Corporation>
[]
  {AA58ED58-01DD-4D91-8333-CF10577473F7} <, >
[]
  {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <, >
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, (Signed) N/A>
[]
  {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} <, >
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, (Signed) Microsoft Corporation>
[]
  {C4069E3A-68F1-403E-B40E-20066696354B} <, >
[]
  {C93A7319-17B3-4504-87CD-03EFC6103E6E} <, >
[Microsoft Office 12 Authorization Control]
  {C9712B19-838B-45A5-ABF2-9A315DDDED50} <C:\PROGRA~1\MICROS~4\Office12\AUTHZAX.DLL, (Signed) Microsoft Corporation>
[]
  {CA6319C0-31B7-401E-A518-A07C3DB8F777} <, >
[Adobe PDF Reader]
  {CA8A9780-280D-11CF-A24D-444553540000} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll, (Signed) Adobe Systems, Inc.>
[Microsoft Live Meeting Console Launcher]
  {CC2AA3AF-4E14-46DD-90E5-9D315F0AFA0F} <, >
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[]
  {CD67F990-D8E9-11D2-98FE-00C0F0318AFE} <, >
[MediaControl Class]
  {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} <C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaControl.dll, (Signed) Entriq, Inc.>
[get_atlcom Class]
  {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} <C:\WINDOWS\Downloaded Program Files\gp.ocx, (Signed) NOS Microsystems Ltd.>
[Microsoft Url Search Hook]
  {CFBFAE00-17A6-11D0-99CB-00C04FD64497} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[RealPlayer G2 Control]
  {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} <C:\WINDOWS\system32\rmoc3260.dll, RealNetworks>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx, (Signed) Adobe Systems, Inc.>
[iTunesDetector Class]
  {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} <C:\Program Files\iTunes\ITDetector.ocx, (Signed) Apple Inc.>
[MessengerChecker Class]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, (Signed) Yahoo! Inc.>
[Java(tm) Plug-In 2 SSV Helper]
  {DBC80044-A445-435B-BC74-9C25C1C588A9} <C:\Program Files\Java\jre6\bin\jp2ssv.dll, (Signed) Sun Microsystems, Inc.>
[]
  {DDCC995D-9896-7E27-1BB4-10CDF5EEEC1A} <, >
[Microsoft Silverlight]
  {DFEAF541-F3E1-4C24-ACAC-99C30715084A} <c:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll, (Signed)  Microsoft Corporation>
[]
  {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} <, >
[]
  {E2E2DD38-D088-4134-82B7-F2BA38496583} <, >
[]
  {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} <, >
[]
  {e473a65c-8087-49a3-affd-c5bc4a10669b} <, >
[JQSIEStartDetectorImpl Class]
  {E7E6F031-17CE-4C07-BC86-EABFE594F69C} <C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll, Sun Microsystems, Inc.>
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[Scripting.Dictionary]
  {EE09B103-97E0-11CF-978F-00A02463E06F} <C:\WINDOWS\system32\scrrun.dll, (Signed) Microsoft Corporation>
[McFreeScan Class]
  {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} <C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll, (Signed) McAfee, Inc.>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll, (Signed) Yahoo! Inc.>
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[XML HTTP 3.0]
  {F5078F35-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[XML DOM Document]
  {F6D90F11-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <%SystemRoot%\system32\msxml3.dll, (Signed) N/A>
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[SingleInstance Class]
  {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} <C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll, (Signed) Yahoo! Inc>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 624 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 672 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 696 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
    [c:\program files\common files\logitech\bluetooth\LBTWlgn.dll]  [Logitech, Inc., 4.60.122]
    [c:\program files\common files\logitech\bluetooth\LBTServ.dll]  [Logitech, Inc., 4.60.122]
[PID: 744 / SYSTEM][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)]
[PID: 756 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[PID: 960 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1036 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1132 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1296 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 1464 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1560 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\WINDOWS\system32\hpzsnt10.dll]  [HP, 2.323.0.0]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1648 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1856 / SYSTEM][C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe]  [Apple Inc., 2.50.39.0]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 1868 / SYSTEM][C:\Program Files\Bonjour\mDNSResponder.exe]  [Apple Inc., 1,0,6,2]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 1900 / SYSTEM][C:\Program Files\Digidesign\Drivers\MMERefresh.exe]  [Digidesign, A Division of Avid Technology, Inc., 7.4.0.309]
[PID: 1920 / SYSTEM][C:\WINDOWS\eHome\ehRecvr.exe]  [Microsoft Corporation, 5.1.2715.3011 (xpsp(wmbla).061009-1511)]
    [C:\WINDOWS\system32\sbe.dll]  [, ]
    [C:\WINDOWS\system32\quartz.dll]  [, ]
    [C:\WINDOWS\system32\devenum.dll]  [, ]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
[PID: 1936 / SYSTEM][C:\WINDOWS\eHome\ehSched.exe]  [(Verified) Microsoft Corporation, 5.1.2710.2732 (xpsp(wmbla).050805-1239)]
[PID: 124 / SYSTEM][C:\Program Files\Java\jre6\bin\jqs.exe]  [Sun Microsystems, Inc., 6.0.150.3]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 216 / SYSTEM][C:\Program Files\Kontiki\KService.exe]  [, ]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 432 / SYSTEM][C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe]  [, 1.0.0.15]
[PID: 576 / SYSTEM][C:\WINDOWS\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.11.6371]
    [C:\WINDOWS\system32\nvapi.dll]  [NVIDIA Corporation, 6.14.11.6371]
[PID: 1236 / SYSTEM][C:\Program Files\Dell Support Center\bin\sprtsvc.exe]  [SupportSoft, Inc., 7.0.1117.0]
    [C:\Program Files\Dell Support Center\bin\sprtsched.dll]  [SupportSoft, Inc., 7.0.940.0]
    [C:\Program Files\Dell Support Center\bin\sprtfod.dll]  [SupportSoft, Inc., 7.0.940.0]
    [C:\Program Files\Dell Support Center\bin\LIBEAY32.dll]  [SupportSoft, Inc., 0, 9, 8, 4, 1]
    [C:\Program Files\Dell Support Center\bin\sprtsync.dll]  [SupportSoft, Inc., 7.0.1710.0]
    [C:\Program Files\Dell Support Center\bin\sprtupdate.dll]  [SupportSoft, Inc., 7.0.940.0]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 1784 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 1864 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 200 / SYSTEM][C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe]  [, ]
    [C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcnet.dll]  [, ]
[PID: 648 / SYSTEM][C:\WINDOWS\system32\wuauclt.exe]  [(Verified) Microsoft Corporation, 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834)]
[PID: 712 / LOCAL SERVICE][C:\WINDOWS\ehome\mcrdsvc.exe]  [Microsoft Corporation, 4.1.2710.2732 (xpsp(wmbla).050805-1239)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 2132 / joel][C:\WINDOWS\ehome\ehtray.exe]  [Microsoft Corporation, 5.1.2715.2765 (xpsp(wmbla).050928-2135)]
[PID: 2168 / joel][C:\Program Files\Dell\Media Experience\DMXLauncher.exe]  [N/A, ]
[PID: 2208 / joel][C:\WINDOWS\System32\DLA\DLACTRLW.EXE]  [Sonic Solutions, 5.20.08a]
    [C:\WINDOWS\system32\DLAAPI_W.DLL]  [Sonic Solutions, 5.20.08a]
    [C:\WINDOWS\System32\DLA\DLACResW.dll]  [Sonic Solutions, 5.20.08a]
    [C:\WINDOWS\system32\VxBlock.dll]  [Sonic Solutions, 1.00.83a]
[PID: 2364 / SYSTEM][C:\WINDOWS\system32\dllhost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2108)]
[PID: 2496 / joel][C:\WINDOWS\eHome\ehmsas.exe]  [(Verified) Microsoft Corporation, 5.1.2710.2732 (xpsp(wmbla).050805-1239)]
[PID: 2676 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
[PID: 2684 / joel][C:\WINDOWS\explorer.exe]  [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 9.1.0.2009022700]
    [C:\WINDOWS\system32\nvcpl.dll]  [NVIDIA Corporation, 6.14.11.6371]
    [C:\WINDOWS\system32\nvapi.dll]  [NVIDIA Corporation, 6.14.11.6371]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
[PID: 3556 / joel][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
[PID: 3768 / joel][C:\WINDOWS\system32\ctfmon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[PID: 3796 / joel][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
    [C:\Program Files\Java\jre6\bin\jp2ssv.dll]  [Sun Microsystems, Inc., 6.0.150.3]
    [C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll]  [Sun Microsystems, Inc., 6.0.150.3]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll]  [Yahoo! Inc, 2008, 7, 28, 01]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
    [C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx]  [Adobe Systems, Inc., 10,0,32,18]
[PID: 3868 / joel][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
    [C:\Program Files\Java\jre6\bin\jp2ssv.dll]  [Sun Microsystems, Inc., 6.0.150.3]
    [C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll]  [Sun Microsystems, Inc., 6.0.150.3]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll]  [Yahoo! Inc, 2008, 7, 28, 01]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
    [C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx]  [Adobe Systems, Inc., 10,0,32,18]
[PID: 3896 / joel][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
    [C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
    [C:\Program Files\Java\jre6\bin\jp2ssv.dll]  [Sun Microsystems, Inc., 6.0.150.3]
    [C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll]  [Sun Microsystems, Inc., 6.0.150.3]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll]  [Yahoo! Inc, 2008, 7, 28, 01]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]
    [C:\WINDOWS\system32\Macromed\Flash\Flash10c.ocx]  [Adobe Systems, Inc., 10,0,32,18]
[PID: 3128 / joel][C:\Documents and Settings\joel\Desktop\New Folder\SREngLdr.EXE]  [Smallfrogs Studio, 2.8.1.1279]
[PID: 3136 / joel][C:\Documents and Settings\joel\Desktop\New Folder\SREba614a25.EXE]  [Smallfrogs Studio, 2.8.1.1279]
    [C:\Documents and Settings\joel\Desktop\New Folder\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
    [\\?\globalroot\Device\__max++>\50E4746E.x86.dll]  [N/A, ]
    [C:\Program Files\Bonjour\mdnsNSP.dll]  [Apple Inc., 1,0,6,2]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]    
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================
Process Privileges Scan
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 1900, C:\PROGRAM FILES\DIGIDESIGN\DRIVERS\MMEREFRESH.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 216, C:\PROGRAM FILES\KONTIKI\KSERVICE.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 432, C:\PROGRAM FILES\M-AUDIO\M-AUDIO SERIES II MIDI\MA_CMIDI_INST.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 2132, C:\WINDOWS\EHOME\EHTRAY.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 2168, C:\PROGRAM FILES\DELL\MEDIA EXPERIENCE\DMXLAUNCHER.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 2208, C:\WINDOWS\SYSTEM32\DLA\DLACTRLW.EXE]
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 3128, C:\DOCUMENTS AND SETTINGS\JOEL\DESKTOP\NEW FOLDER\SRENGLDR.EXE]

==================================
Scheduled Tasks
[Enabled] {5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
        C:\WINDOWS\TEMP\tempo-127446500.tmp 
[Enabled] AppleSoftwareUpdate.job
        C:\Program Files\Apple Software Update\SoftwareUpdate.exe 
[Enabled] Ad-Aware Update (Weekly).job
        C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe 

==================================
Windows Security Update Check
KB940157,  Windows Search 4.0 for Windows XP (KB940157) 
KB967715,  Update for Windows XP (KB967715) 
KB963673,  Update for the 2007 Microsoft Office System Help for Common Features (KB963673) 
KB963670,  Update for Microsoft Office OneNote 2007 Help (KB963670) 
KB963671,  Update for Microsoft Script Editor Help (KB963671) 
KB963678,  Update for Microsoft Office Excel 2007 Help (KB963678) 
KB963669,  Update for Microsoft Office PowerPoint 2007 Help (KB963669) 
KB963665,  Update for Microsoft Office Word 2007 Help (KB963665) 
KB963665,  Office Live add-in 1.4 
KB963665,  Windows Live Essentials 
KB975364,  Update for Internet Explorer 8 Compatibility View List for Windows XP (KB975364) 
KB971513,  Update for Windows XP (KB971513) 

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-03-2009, 07:18 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 07:23 PM   #3 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
Running from: C:\Documents and Settings\joel\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\joel\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D2.tmp\ZAP1D2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D2.tmp\ZAP1D2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DB.tmp\ZAP2DB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DB.tmp\ZAP2DB.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3DB.tmp\ZAP3DB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3DB.tmp\ZAP3DB.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\{F724042F-367A-3B58-9BE3-8EF7A6F058D6}\{F724042F-367A-3B58-9BE3-8EF7A6F058D6}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{F724042F-367A-3B58-9BE3-8EF7A6F058D6}\{F724042F-367A-3B58-9BE3-8EF7A6F058D6}

Found mount point : C:\WINDOWS\Installer\{F9FBBFFE-5CFD-3271-B127-C2326D796F94}\{F9FBBFFE-5CFD-3271-B127-C2326D796F94}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{F9FBBFFE-5CFD-3271-B127-C2326D796F94}\{F9FBBFFE-5CFD-3271-B127-C2326D796F94}

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\occache\occache

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 07:25 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:12 PM   #5 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
ComboFix 09-11-03.01 - joel 11/03/2009 21:46.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.533 [GMT -5:00]
Running from: c:\documents and settings\joel\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\joel\LOCALS~1\Temp\1E.tmp\edS.exe
c:\documents and settings\joel\Local Settings\Temp\1E.tmp\edS.exe
c:\windows\kb913800.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-02 13:11 . 2009-11-02 13:22 -------- d-----w- C:\HJT
2009-11-02 11:22 . 2009-11-02 11:22 -------- d-----w- c:\program files\Trend Micro
2009-11-02 10:47 . 2009-11-02 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-02 10:16 . 2009-11-02 10:16 -------- d-----w- c:\program files\CCleaner
2009-11-02 09:45 . 2009-11-02 09:45 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-02 09:14 . 2009-11-02 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-11-02 09:10 . 2009-11-02 09:10 -------- d-----w- c:\documents and settings\joel\Local Settings\Application Data\Citrix
2009-11-02 09:10 . 2009-11-02 09:10 61224 ----a-w- c:\documents and settings\joel\GoToAssistDownloadHelper.exe
2009-10-31 09:41 . 2009-10-31 09:41 -------- d-----w- c:\windows\McAfee.com
2009-10-31 08:55 . 2009-11-02 09:29 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-10-31 08:55 . 2009-11-02 09:29 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-10-31 08:54 . 2009-11-04 02:46 0 ----a-w- c:\windows\win32k.sys
2009-10-31 08:53 . 2009-10-31 08:53 -------- d--h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-31 08:53 . 2009-11-02 11:15 -------- d-----w- c:\program files\Lavasoft
2009-10-31 08:30 . 2009-10-31 08:52 -------- dc----w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}(2)
2009-10-31 07:45 . 2009-10-31 07:45 -------- d-----w- c:\program files\VS Revo Group
2009-10-30 11:37 . 2009-10-30 11:37 -------- d-----w- c:\documents and settings\joel\Application Data\Blackberry Desktop
2009-10-30 07:31 . 2009-10-31 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 11:59 . 2009-10-25 11:59 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-24 04:12 . 2009-10-24 04:12 -------- d-----w- c:\documents and settings\joel\Local Settings\Application Data\AIM
2009-10-10 08:14 . 2009-10-10 08:14 -------- d-----w- c:\documents and settings\joel\Application Data\Research In Motion
2009-10-10 08:12 . 2009-10-31 08:53 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-10-10 08:12 . 2009-10-10 08:12 -------- d-----w- c:\program files\Research In Motion
2009-10-10 04:41 . 2009-10-10 04:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-10-10 04:32 . 2009-10-10 04:32 -------- d-----w- c:\documents and settings\joel\Application Data\Windows Search
2009-10-10 04:28 . 2009-10-10 08:45 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-10 04:28 . 2009-10-10 04:28 -------- d-----w- c:\windows\system32\GroupPolicy
2009-10-10 04:28 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-10-10 04:28 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-10-10 04:28 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-10-09 21:06 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-10-06 01:30 . 2009-10-06 01:31 -------- d-----w- c:\program files\iTunes
2009-10-06 01:28 . 2009-10-06 01:28 -------- d-----w- c:\program files\Bonjour
2009-10-06 01:26 . 2009-10-06 01:27 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 02:52 . 2008-08-08 06:55 -------- d-----w- c:\program files\DNA
2009-11-04 02:52 . 2008-08-08 06:55 -------- d-----w- c:\documents and settings\joel\Application Data\DNA
2009-11-04 02:41 . 2008-08-08 06:55 -------- d-----w- c:\documents and settings\joel\Application Data\BitTorrent
2009-10-21 19:48 . 2008-08-10 06:36 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 00:32 . 2007-03-28 21:31 36400 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 04:25 . 2007-04-07 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-14 12:51 . 2009-09-09 11:46 -------- d-----w- c:\documents and settings\joel\Application Data\HpUpdate
2009-10-10 08:17 . 2008-09-05 05:02 256 ----a-w- c:\windows\system32\pool.bin
2009-10-10 06:55 . 2009-02-01 22:48 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-10 03:55 . 2007-04-07 14:41 -------- d-----w- c:\program files\Microsoft Works
2009-10-06 01:30 . 2007-04-05 21:43 -------- d-----w- c:\program files\iPod
2009-10-06 01:30 . 2008-08-10 09:11 -------- d-----w- c:\program files\Common Files\Apple
2009-10-05 22:05 . 2007-03-28 21:25 -------- d-----w- c:\program files\Google
2009-10-05 21:47 . 2008-09-05 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-10-05 21:47 . 2007-03-28 21:21 -------- d-----w- c:\program files\Roxio
2009-10-05 21:47 . 2007-03-28 21:21 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-05 21:47 . 2007-03-28 21:19 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-10-05 21:40 . 2007-03-28 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-05 21:27 . 2005-08-17 02:54 -------- d-----w- c:\program files\GemMaster
2009-10-05 21:19 . 2007-04-05 21:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-05 21:16 . 2009-06-20 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-03 21:35 . 2009-10-03 21:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-03 21:35 . 2007-03-28 21:14 -------- d-----w- c:\program files\Java
2009-10-03 21:24 . 2009-10-03 21:18 -------- d-----w- c:\program files\PS3 Media Server
2009-09-25 16:13 . 2007-04-05 21:45 -------- d-----w- c:\documents and settings\joel\Application Data\Apple Computer
2009-09-19 18:41 . 2009-09-19 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 11:47 . 2007-04-09 23:06 -------- d-----w- c:\program files\HP
2009-09-09 07:12 . 2009-07-30 10:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 23:24 . 2005-08-16 10:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-08-16 10:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-08-16 10:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-08-16 10:40 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2005-08-16 10:18 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2005-08-16 10:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-07-30 13:05 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-07-30 13:05 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2005-08-16 10:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-23 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2007-08-30 205480]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-03 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2006-08-15 118784]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll
"midi3"=ma_cmidn.dll
"midi4"=ma_cmidn.dll
"midi5"=ma_cmidn.dll
"wave2"=Digi32.dll
"MIDI6"=diomidi.dll
"midi7"=ma_cmidn.dll
"midi8"=ma_cmidn.dll
"midi9"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [8/14/2008 2:23 AM 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2009 4:52 PM 64160]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [8/14/2008 2:18 AM 16400]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [8/14/2008 2:18 AM 97808]
S3 PCD5SRVC{3F6A8B78-EC003E00-05040000};PCD5SRVC{3F6A8B78-EC003E00-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 3:47 PM 20640]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
HKCU-Run-Aim6 - (no file)
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 21:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCD5SRVC{3F6A8B78-EC003E00-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3043654748-1866458467-1896528663-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3043654748-1866458467-1896528663-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8B54E536-E330-9884-7E6C-BCA4E6782EF2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3043654748-1866458467-1896528663-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:73,99,23,50,ce,76,d4,78,36,ad,5c,e1,d9,d4,e0,5e,70,eb,af,fc,50,ce,9d,
af,cc,d8,e9,0f,f7,64,1f,d6,11,0f,36,31,f2,fd,c3,1c,2d,81,7e,8f,c9,5d,85,15,\
"??"=hex:75,ea,ed,ee,3f,ff,99,6c,7d,5d,7a,18,ca,c1,a9,b8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'Explorer.EXE'(1900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\docume~1\joel\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-11-04 21:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 02:55

Pre-Run: 38,912,360,448 bytes free
Post-Run: 39,817,023,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:16 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Now we're getting somewhere.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

Also please run win32kdiag once again, this time just double click on it, wait for it to complete, and post the log.

Are any of your applications giving you "access denied" messages?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:37 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
I wasnt able to run a scan on aything.. access denied, cant find file or path, or not having permissions.. soemthing to that effect.

I tried to run a mcafee scan, ad-aware, spybot, dds, highjackthis.. nothing..

just to mention... i wasnt ablwe to fully remove ad-aware.. said there there is a missing mia.lib file?
Mcafee is removed as well.. when i reinstalled it previously it would'nt install the virus scan portion so i just removed it..
so i do not have any anitvirus or antispyware installed currently... havent dont anything since we started this process..

32 bit Windows Card Reader Driver
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.2
AIM 6
AiO_Scan
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BitTorrent
BlackBerry Desktop Software 4.2
Bonjour
Broadcom Management Programs
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
CDDRV_Installer
Combined Community Codec Pack 2008-09-21 16:18
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Support Center (Support Software)
Dell System Restore
Digidesign Audio Drivers 7.4
Digital Content Portal
DNA
Documentation & Support Launcher
Enigma
Entriq MediaSphere 3.6.0.15
ESPNMotion
Games, Music, & Photos Launcher
getPlus(R)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Image Zone 4.2
HP Photosmart Essential
HP Photosmart Essential 2.5
HP Photosmart Essential 3.0
HP PSC & OfficeJet 4.2
HP Update
HPPhotoSmartPhotobookWebPack1
Interlok driver setup x32
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 15
KhalInstallWrapper
Live 7.0.3
Logitech Registration
Logitech SetPoint
Logitech Updater
M-Audio Reason Control Surface
M-Audio Series II MIDI
Magic ISO Maker v5.4 (build 0239)
Magic ISO Maker v5.5 (build 0274)
MagicDisc 2.7.105
Matroska Pack - Lazy Man's MKV 1.0.1-alpha6
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office Live Meeting 2005
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WSE 3.0 Runtime
MobileMe Control Panel
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
Picture Package Music Transfer
PokerStars
PSSWCORE
QFolder
QuickTime
RealPlayer Basic
Reason 4.0
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Roxio Update Manager
Safari
Scan
SearchAssist
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sonic Activation Module
Sonic Encoders
Sony Picture Utility
Sony USB Driver
Spelling Dictionaries Support For Adobe Reader 9
Symantec KB-DocID:2003093015493306
System Requirements Lab
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinWay Resume Deluxe
Xvid 1.1.3 final uninstall
Yahoo! Messenger
Yahoo! Toolbar

Win32kdiag report

Running from: C:\Documents and Settings\joel\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\joel\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)





Finished!
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:40 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Sorry, but this is not clear to me about the current state of the machine.

Quote:
I wasnt able to run a scan on aything.. access denied, cant find file or path, or not having permissions.. soemthing to that effect.

I tried to run a mcafee scan, ad-aware, spybot, dds, highjackthis.. nothing..
I'm looking for what's happening now. You're receiving access denied, can't find path, no permissions messages right now when you try to run those?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:43 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Do you wish to reinstall McAfee, or go another direction?

About Ad-Aware, it may take a reinstall/uninstall if you want to remove it. Just wait on that for now.


Let's take a look with another tool.


Download junction.zip from this link and extract junction.exe to your desktop.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
junction -s c:\ >log.txt
notepad log.txt
Save this as peek.bat Choose to "Save type as - All Files" save it next to junction.exe
It should look like this:

Double click the peek.bat and allow it to run. It will take some time to complete, so please be patient and wait until it finishes. A log should open, log.txt will be created on your desktop. Please attach that log in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:53 PM   #10 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
for clearification i have not run anything except what you have instructed me too.. and in doing so have not run into any error messages. but i would like to reinstall mcafee and would like your go ahead to do so when ready.
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:54 PM   #11 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
i created the peek.bat and ran the junction.exe but do not see any window open.. will a log.txt appear? doesnt seem like anything is running..
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 08:56 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Quote:
ran the junction.exe
junction.exe is going to be run by the batch file you place next to it. Don't try to double click on junction.exe


Quote:
Save this as peek.bat Choose to "Save type as - All Files" save it next to junction.exe
It should look like this:

Double click the peek.bat and allow it to run. It will take some time to complete, so please be patient and wait until it finishes. A log should open, log.txt will be created on your desktop. Please attach that log in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 09:05 PM   #13 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
i saved them both in the order you put in the instructions.. the junction then the peek.bat im not sure that is "next to" or not..


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\HJT\HijackThis.exe: Access is denied.




...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Dell Support Center\HWDiag\bin\pcdrsysinfodirect.p5x: Access is denied.




...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.


.

..
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


.

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe: Access is denied.


.

...

...

...

...

..No reparse points found.
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 09:15 PM   #14 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
That worked. In the same directory is suitable (desktop), they don't have to be exactly side by side.

Next steps..

Download This tool save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.


Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"

After a short time, you should see a small message box which says OK.

Repeat the above procedure using this command:

"%userprofile%\desktop\Inherit.exe" "c:\HJT\HijackThis.exe"

"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Dell Support Center\HWDiag\bin\pcdrsysinfodirect.p5x"

"%userprofile%\desktop\Inherit.exe" "c:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe"


Next..........

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------

Now, reinstall your McAfee, update it, run a scan.

Delete any existing version of RSIT/DDS/GMER you might have still.

Let's try a new version of DDS...



Download DDS and save it to your desktop from here, here or here.
Disable any script blocker, and then double click dds to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Contents of the DDS.txt posted as text in your reply
  • Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 09:42 PM   #15 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
quick scan or full scan with mcafee?
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 09:56 PM   #16 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
i performed a quick scan with mcafee... no threats found..


DDS (Ver_09-10-26.01) - NTFSx86
Run by joel at 23:52:30.70 on Tue 11/03/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.425 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\joel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} - hxxp://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1255161136312
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://evideo.ufc.com/ufc/cabfiles/Entriq_3_6_0_15_Silent.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5787/mcfscan.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-8-14 16384]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-1 64160]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-8-14 16400]
S2 0131021257309403mcinstcleanup;McAfee Application Installer Cleanup (0131021257309403);c:\docume~1\joel\locals~1\temp\013102~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\joel\locals~1\temp\013102~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [2008-8-14 97808]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-8-10 31592]
S3 PCD5SRVC{3F6A8B78-EC003E00-05040000};PCD5SRVC{3F6A8B78-EC003E00-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~1\hwdiag\bin\PCD5SRVC.pkms [2007-12-5 20640]

=============== Created Last 30 ================

2009-11-04 04:40:32 6815 ----a-w- c:\windows\system32\Config.MPF
2009-11-04 04:36:50 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 04:36:50 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 04:36:50 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 04:36:47 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-11-04 04:36:26 0 d-----w- c:\program files\common files\McAfee
2009-11-04 04:36:25 0 d-----w- c:\program files\McAfee.com
2009-11-04 04:36:07 0 d-----w- c:\program files\McAfee
2009-11-04 04:33:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-11-04 04:20:07 0 d-----w- c:\docume~1\joel\applic~1\Malwarebytes
2009-11-04 04:20:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 04:20:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-04 04:20:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 04:20:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 02:43:38 0 d-sha-r- C:\cmdcons
2009-11-04 02:42:44 98816 ----a-w- c:\windows\sed.exe
2009-11-04 02:42:44 77312 ----a-w- c:\windows\MBR.exe
2009-11-04 02:42:44 236544 ----a-w- c:\windows\PEV.exe
2009-11-04 02:42:44 161792 ----a-w- c:\windows\SWREG.exe
2009-11-04 02:42:37 0 d-----w- C:\ComboFix
2009-11-02 13:11:36 0 d-----w- C:\HJT
2009-11-02 11:22:15 0 d-----w- c:\program files\Trend Micro
2009-11-02 10:47:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-02 10:16:44 0 d-----w- c:\program files\CCleaner
2009-11-02 09:45:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-02 09:14:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2009-11-02 09:10:28 61224 ----a-w- c:\documents and settings\joel\GoToAssistDownloadHelper.exe
2009-10-31 09:41:15 0 d-----w- c:\windows\McAfee.com
2009-10-31 08:55:26 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-10-31 08:55:26 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-10-31 08:53:55 0 d--h--w- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-10-31 08:53:46 0 d-----w- c:\program files\Lavasoft
2009-10-31 08:30:00 0 dc----w- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}(2)
2009-10-31 07:45:24 0 d-----w- c:\program files\VS Revo Group
2009-10-30 11:37:51 0 d-----w- c:\docume~1\joel\applic~1\Blackberry Desktop
2009-10-30 07:31:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-25 11:59:06 0 d-----w- c:\program files\SystemRequirementsLab
2009-10-10 08:14:10 0 d-----w- c:\docume~1\joel\applic~1\Research In Motion
2009-10-10 08:12:22 0 d-----w- c:\program files\common files\Research In Motion
2009-10-10 08:12:13 0 d-----w- c:\program files\Research In Motion
2009-10-10 04:32:32 0 d-----w- c:\docume~1\joel\applic~1\Windows Search
2009-10-10 04:28:51 0 d-----w- c:\program files\Windows Desktop Search
2009-10-10 04:28:50 0 d-----w- c:\windows\system32\GroupPolicy
2009-10-10 04:28:04 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-10-10 04:28:03 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-10-10 04:28:03 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-10-09 2136 306688 ----a-w- c:\windows\IsUninst.exe
2009-10-06 01:30:04 0 d-----w- c:\program files\iTunes
2009-10-06 01:28:03 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2009-10-10 06:55:57 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-03 21:35:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 15:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-07 08:48:40 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-06 23:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 23:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 23:24:10 35552 ----a-w- c:\windows\system32\dllcache\wups.dll
2009-08-06 23:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 23:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-06 23:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-07-07 16:47:58 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-07-07 16:47:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070720090708\index.dat
2009-07-07 16:47:58 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 23:53:39.96 ===============
Attached Files
File Type: txt Attach.txt (10.8 KB, 1 views)
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 10:11 PM   #17 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Hi -

Did Malwarebytes' Antimalware find anything? I'd like to see the log. If you didn't save it to desktop, it can be accessed from the Logs tab on the program interface.

Also, I see part of Norton Firewall in the logs, but it doesn't seem installed. Norton has a history of leaving things behind after it's uninstalled. They have a dedicated uninstaller tool which should likely be run.

1. Download this file:

ftp://ftp.symantec.com/public/englis...moval_Tool.exe

Save the file to the Windows desktop.

2. On the Windows desktop, double-click the Norton Removal Tool icon.

3. Follow the on-screen instructions. Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.



Also, how is the machine behaving now? We likely still have a bit of work to do
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 10:22 PM   #18 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
pc is behaving a bit better.. i wasnt able to run a scan in mcafee before, or dds and now it was able to do both..

pc was redirecting search engine results to ad sites and now it is not doing that either..
so far so good...


Malwarebytes' Anti-Malware 1.41
Database version: 3097
Windows 5.1.2600 Service Pack 3

11/3/2009 11:24:56 PM
mbam-log-2009-11-03 (23-24-56).txt

Scan type: Quick Scan
Objects scanned: 111157
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 10:28 PM   #19 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,793
OS: 2000 Pro; XP Pro; XP Home


Re: Trojan-Spy.Win32.Agent.bahu
Ok, good....next steps...

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:
3. Uninstall the following via Add or Remove Programs in Control Panel:

  • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( BitTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------


Outdated Java

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

J2SE Runtime Environment 5.0 Update 6


This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Java(TM) 6 Update 15 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-03-2009, 11:42 PM   #20 (permalink)
Registered User
 
Join Date: Nov 2009
Posts: 18
OS: windows xp media center, ver 2002 service pack 3


Re: Trojan-Spy.Win32.Agent.bahu
eset online scanner is at 40%
illstacks is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 09:15 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85