Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD and Winlogon.exe errors


  • This topic is locked This topic is locked
19 replies to this topic

#1 Mark Meriaux

Mark Meriaux

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 09 August 2010 - 01:46 PM

The problem machine is a Dell Desktop machine (I can get more specifics if needed).
Running Windows XP Pro with SP3.
IE Explorer is the main web application.
Hard Drive is only about 50% full.
I've run MBAM and SuperAntiSpyware a couple of times to clean recurring malware.

Constantly has the following problem at Startup:

WINLOGON.EXE - Application Error
The instruction at 0x00182581 referenced memory at 0x012f0000. The memory could not be "read"

If I ignore the warning, the computer works with limited functionality. If I click OK or Cancel, it goes into BSOD.

Computer is finishing another MBAM scan right now.....as soon at that completes, I'll run and post:
1) BlueScreenView logs
2) DDS logs
3) GMER logs

for one of you fine folks to analyze and give me some help to get her back in decent health.

Here are the BlueScreenView logs:

==================================================
Dump File : Mini070210-01.dmp
Crash Time : 7/2/2010 9:02:14 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000017
Parameter 2 : 0x8056d666
Parameter 3 : 0xa9301654
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+96666
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5938 (xpsp_sp3_gdr.100216-1514)
Processor : 32-bit
Computer Name :
Full Path : C:WINDOWSMinidumpMini070210-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 2600
==================================================

==================================================
Dump File : Mini072208-01.dmp
Crash Time : 7/22/2008 8:53:35 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0x00000000
Parameter 3 : 0xf88cca98
Parameter 4 : 0xf88cc794
Caused By Driver : usbhub.sys
Caused By Address : usbhub.sys+46ff
File Description : Default Hub Driver for USB
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Computer Name :
Full Path : C:WINDOWSMinidumpMini072208-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 2600
==================================================

==================================================
Dump File : Mini071107-01.dmp
Crash Time : 7/11/2007 8:37:25 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0x00000000
Parameter 3 : 0xf88c8a98
Parameter 4 : 0xf88c8794
Caused By Driver : usbhub.sys
Caused By Address : usbhub.sys+46ff
File Description : Default Hub Driver for USB
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Computer Name :
Full Path : C:WINDOWSMinidumpMini071107-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 2600
==================================================

==================================================
Dump File : Mini061807-01.dmp
Crash Time : 6/18/2007 10:25:46 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0x00000000
Parameter 3 : 0xf88c0a98
Parameter 4 : 0xf88c0794
Caused By Driver : usbhub.sys
Caused By Address : usbhub.sys+46ff
File Description : Default Hub Driver for USB
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Computer Name :
Full Path : C:WINDOWSMinidumpMini061807-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 2600
==================================================

==================================================
Dump File : Mini061307-01.dmp
Crash Time : 6/13/2007 5:22:35 PM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0x00000000
Parameter 3 : 0xf88d4a98
Parameter 4 : 0xf88d4794
Caused By Driver : usbhub.sys
Caused By Address : usbhub.sys+46ff
File Description : Default Hub Driver for USB
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Computer Name :
Full Path : C:WINDOWSMinidumpMini061307-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 2600
==================================================

Here's the DDS log and the Attach.txt (attached):


DDS (Ver_10-03-17.01) - NTFSx86
Run by tammy at 16:19:50.94 on Mon 08/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.173 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:PROGRA~1ENIGMA~1SPYHUN~1SH4SER~1.EXE
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesDigitalPersonaBinDpHost.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesGoogleUpdate1.2.183.29GoogleCrashHandler.exe
C:Program FilesLogMeInx86RaMaint.exe
C:Program FilesLogMeInx86LogMeIn.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:PAYCLOCKBTENG32M.EXE
C:PAYCLOCKTOUCHS~1BTENG32M.EXE
C:Program FilesCommon FilesArtisoftTeleVantageTvWksSvc.exe
C:Program FilesRealVNCVNC4WinVNC4.exe
C:WINDOWSExplorer.EXE
C:Program FilesLogMeInx86LogMeInSystray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:Program FilesEmailsAgentEmailsAgentEmailsAgent.exe
C:Documents and SettingstammyDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://crowecounter.moraware.net/crowecounter/default.asp?wp=16&customerid=3
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.5126.1836swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:progra~1micros~4office11REFIEBAR.DLL
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
mRun: [LogMeIn GUI] "c:program fileslogmeinx86LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] c:program filesjavajre6binjusched.exe
dRun: [iqtpdvti] c:documents and settingsnetworkservicelocal settingsapplication dataevueeooukmcyvdiftssd.exe
dRun: [iujmybur] c:documents and settingsnetworkservicelocal settingsapplication dataeksdeadhfmsxwpqgtssd.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupemails~1.lnk - c:program filesemailsagentemailsagentEmailsAgent.exe
uPolicies-explorer: NoActiveDesktop = 2 (0x2)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper =
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~4office11EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
Trusted Zone: isqft.comwww
Trusted Zone: isqft.comwww
Trusted Zone: musicmatch.comonline
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178737890861
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.crowecounter.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {BD41251E-4B03-4898-97B7-74595F808687} = 192.168.1.1
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
LSA: Authentication Packages = msv1_0 c:windowssystem32rQhIxyyw

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-10 67656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:program fileslogmeinx86rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:windowssystem32driversLMIRfsDriver.sys [2009-2-10 47640]
R2 PayClockServer;PayClock Database Service;c:payclockBteng32m.exe [2007-5-3 200763]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:progra~1enigma~1spyhun~1SH4SER~1.EXE [2010-5-18 327064]
R2 TouchStationServer;PayClock TouchStation Service;c:payclocktouchs~1BTENG32M.EXE [2007-5-3 200763]
R2 TvWksSvc;TeleVantage Workstation Service;c:program filescommon filesartisofttelevantageTvWksSvc.exe [2006-7-11 102400]
R3 dpK00701;U.are.U Fingerprint Reader Upper Driver;c:windowssystem32driversdpK00701.sys [2004-10-12 41856]
R3 TOUCHDSP;TouchStation LCD/LED USB driver;c:windowssystem32driversTOUCHDSP.sys [2007-5-3 48128]
R3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;c:windowssystem32driversUsbdpFP.sys [2004-10-12 45056]
S2 gupdate1c9edbab4cbc1f7;Google Update Service (gupdate1c9edbab4cbc1f7);c:program filesgoogleupdateGoogleUpdate.exe [2009-6-15 133104]
S2 tgeiigy;tgeiigy;??c:windowssystem32driversonzmsqfmqtw.sys --> c:windowssystem32driversonzmsqfmqtw.sys [?]
S3 TOUCHSTA;TOUCHSTA;c:windowssystem32driversTouchSta.SYS [2007-5-9 20736]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2010-08-09 13:43:45 0 ----a-w- C:__tmp_rar_sfx_access_check_167796
2010-08-06 19:59:44 0 d-----w- C:VundoFix Backups
2010-07-15 16:38:34 0 d-----w- c:docume~1tammyapplic~1SUPERAntiSpyware.com
2010-07-12 12:29:33 0 d-sh--w- c:documents and settingstammyPrivacIE

==================== Find3M ====================

2010-06-09 21:54:36 83360 ----a-w- c:windowssystem32LMIRfsClientNP.dll
2010-06-09 21:54:35 29568 ----a-w- c:windowssystem32LMIport.dll
2010-06-09 21:54:34 87424 ----a-w- c:windowssystem32LMIinit.dll
2009-08-13 19:07:04 17594 -c--a-w- c:program filescommon filespucugo._sy
2009-08-13 19:07:04 14592 -c--a-w- c:program filescommon fileskewycezag.exe
2009-08-13 19:07:04 13545 -c--a-w- c:program filescommon fileseripuwe.inf
2009-08-09 19:28:31 17573 -c--a-w- c:program filescommon filespexubyrym.inf
2009-08-09 19:28:31 15185 ----a-w- c:program filescommon filesjupojofi.dll
2009-08-09 19:28:30 16910 -c--a-w- c:program filescommon fileswibiroguma.bin
2009-08-09 19:28:30 10108 -c--a-w- c:program filescommon filesulyjyxuty.dl
2009-08-06 14:18:01 10941 -c--a-w- c:program filescommon filesiqes.dll
2009-08-06 14:18:00 11198 -c--a-w- c:program filescommon filesybivo.reg
2009-07-13 15:15:08 56 -csh--r- c:windowssystem32A892EC4C7E.sys
2008-03-12 07:13:00 203917 -csha-w- c:windowssystem32cccdd.ini2
2009-07-13 15:15:09 3766 -csha-w- c:windowssystem32KGyGaAvL.sys
2010-01-19 14:13:05 245760 --sha-w- c:windowssystem32configsystemprofileietldcacheindex.dat

============= FINISH: 16:21:21.47 ===============


EDIT: Posts merged ~BP

Oops! Thanks for merging, BP! I remembered on my way home that mods look for unanswered posts. blink.gif ~MM

Edit 9/10 - Added GMER Scan ARK.TXT log file. ~MM

Attached Files


Edited by Mark Meriaux, 10 August 2010 - 09:28 AM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:10:05 AM

Posted 17 August 2010 - 07:50 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 17 August 2010 - 10:08 AM

I didn't get a response for a few days (I realize you all are volunteers - thanks!), so I removed the HD last night and scanned it using AVG (registered copy) on another machine. It found 60+ more virus, malware, and spyware items that I removed. I put the HD into the computer and rebooted this morning, and still got the WINLOGON.EXE error message. I ignored it and ran the RSIT scan. Log is posted below:

Logfile of random's system information tool 1.08 (written by random/random)
Run by tammy at 2010-08-17 11:06:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 41 GB (56%) free of 73 GB
Total RAM: 502 MB (38% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\FileCure Default.job
C:\WINDOWS\tasks\FileCure Startup.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\ParetoLogic Registration3.job
C:\WINDOWS\tasks\ParetoLogic Update Version3.job
C:\WINDOWS\tasks\SpyHunter Scanner.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-07-13 278192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-06-01 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-11 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-07-13 278192]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-06-15 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe [2006-02-07 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe [2005-05-15 332800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-02-23 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e8c526bf]
C:\WINDOWS\system32\jxtgvjnc.dll,b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe [2005-10-14 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe [2005-10-14 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe [2005-10-14 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2005-06-10 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe [2005-09-08 8192]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [2005-09-08 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe [2004-11-11 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qqqz]
C:\PROGRA~1\COMMON~1\qqqz\qqqzm.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-02-07 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-02-07 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Router]
C:\Program Files\Router\Router.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe [2010-05-18 3021720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyShredder]
C:\Program Files\SpyShredder\SpyShredder.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-06-15 39408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe /checktask []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP Antivirus]
C:\Program Files\XP Antivirus\xpa.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
C:\PROGRA~1\COMMON~1\Intuit\QUICKB~1\QBUpdate\qbupdate.exe [2007-01-22 815104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
EmailsAgentShortcut.lnk - C:\Program Files\EmailsAgent\EmailsAgent\EmailsAgent.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-10-14 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2010-06-09 87424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\rQhIxyyw

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2jfxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati2jfxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=
"EnableProfileQuota"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktop"=2
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoWelcomeScreen"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\PAYCLOCK\Pcscmgr.exe"="C:\PAYCLOCK\Pcscmgr.exe:*:Enabled:PayClock Server Mgr"
"C:\Program Files\TeleVantage\Client\TVClient.exe"="C:\Program Files\TeleVantage\Client\TVClient.exe:*:Enabled:Vertical TeleVantage ViewPoint"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\PAYCLOCK\TERMMGR.exe"="C:\PAYCLOCK\TERMMGR.exe:*:Enabled:TERMMGR"
"C:\PAYCLOCK\RENYRUN.exe"="C:\PAYCLOCK\RENYRUN.exe:*:Enabled:RENYRUN"
"C:\WINDOWS\system32\wpv651232659547.cpx"="C:\WINDOWS\system32\wpv651232659547.cpx:*:Enabled:DHCP Client"
"C:\PAYCLOCK\Reny.exe"="C:\PAYCLOCK\Reny.exe:*:Enabled:PayClock"
"C:\PAYCLOCK\dbmgr.exe"="C:\PAYCLOCK\dbmgr.exe:*:Enabled:TAS API Database Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\RealVNC\VNC4\vncviewer.exe"="C:\Program Files\RealVNC\VNC4\vncviewer.exe:*:Enabled:Run VNC Viewer"
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\PAYCLOCK\MAPDB.exe"="C:\PAYCLOCK\MAPDB.exe:*:Enabled:PayClock Database Connection Object Utility"
"C:\PAYCLOCK\MapDBWizard.exe"="C:\PAYCLOCK\MapDBWizard.exe:*:Enabled:PayClock Database Connection Wizard Utility"
"C:\PAYCLOCK\Bteng32m.exe"="C:\PAYCLOCK\Bteng32m.exe:*:Enabled:PayClock Database Service"
"C:\PAYCLOCK\RBEdit.exe"="C:\PAYCLOCK\RBEdit.exe:*:Enabled:PayClock Raw Registration Editor"
"C:\PAYCLOCK\Pcihsv.exe"="C:\PAYCLOCK\Pcihsv.exe:*:Enabled:PayClock Interactive Help Viewer"
"C:\PAYCLOCK\Pcscmgr.exe"="C:\PAYCLOCK\Pcscmgr.exe:*:Enabled:PayClock Service Connection Manager"
"C:\PAYCLOCK\dbmgr.exe"="C:\PAYCLOCK\dbmgr.exe:*:Enabled:PayClock Database Manager"
"C:\PAYCLOCK\RENYRUN.exe"="C:\PAYCLOCK\RENYRUN.exe:*:Enabled:PayClock Base Module"
"C:\PAYCLOCK\TERMMGR.exe"="C:\PAYCLOCK\TERMMGR.exe:*:Enabled:PayClock Terminal Manager"
"C:\PAYCLOCK\Export32.exe"="C:\PAYCLOCK\Export32.exe:*:Enabled:PayClock Export Engine"
"C:\PAYCLOCK\LicMgr32.exe"="C:\PAYCLOCK\LicMgr32.exe:*:Enabled:PayClock License Manager"
"C:\PAYCLOCK\Reny.exe"="C:\PAYCLOCK\Reny.exe:*:Enabled:PayClock Startup Manager"
"C:\PAYCLOCK\RepWrite.exe"="C:\PAYCLOCK\RepWrite.exe:*:Enabled:PayClock Report Manager"
"C:\PAYCLOCK\Register32.exe"="C:\PAYCLOCK\Register32.exe:*:Enabled:PayClock Registration Wizard"
"C:\PAYCLOCK\QB02Sync.exe"="C:\PAYCLOCK\QB02Sync.exe:*:Enabled:PayClock QuickBooks 2002 Employee Synchronization"
"C:\PAYCLOCK\QB03Sync.exe"="C:\PAYCLOCK\QB03Sync.exe:*:Enabled:PayClock QuickBooks 2003 Employee Synchronization"
"C:\PAYCLOCK\QBSetup.exe"="C:\PAYCLOCK\QBSetup.exe:*:Enabled:PayClock QuickBooks 2002 Setup Wizard"
"C:\PAYCLOCK\QB03Wiz.exe"="C:\PAYCLOCK\QB03Wiz.exe:*:Enabled:PayClock QuickBooks 2003 Setup Wizard"
"C:\PAYCLOCK\MsgCheck.exe"="C:\PAYCLOCK\MsgCheck.exe:*:Enabled:PayClock Message Checker"
"C:\PAYCLOCK\TOUCHS~1\MAPDB.exe"="C:\PAYCLOCK\TOUCHS~1\MAPDB.exe:*:Enabled:PayClock Database Connection Object Utility"
"C:\PAYCLOCK\TOUCHS~1\MapDBWizard.exe"="C:\PAYCLOCK\TOUCHS~1\MapDBWizard.exe:*:Enabled:PayClock Database Connection Wizard Utility"
"C:\PAYCLOCK\TOUCHS~1\Bteng32m.exe"="C:\PAYCLOCK\TOUCHS~1\Bteng32m.exe:*:Enabled:PayClock TouchStation Service"
"C:\PAYCLOCK\TOUCHS~1\Bt32smgr.exe"="C:\PAYCLOCK\TOUCHS~1\Bt32smgr.exe:*:Enabled:PayClock Server Manager"
"C:\PAYCLOCK\TOUCHS~1\RBEdit.exe"="C:\PAYCLOCK\TOUCHS~1\RBEdit.exe:*:Enabled:PayClock Raw Registration Editor"
"C:\PAYCLOCK\TOUCHS~1\Pcihsv.exe"="C:\PAYCLOCK\TOUCHS~1\Pcihsv.exe:*:Enabled:PayClock Interactive Help Viewer"
"C:\PAYCLOCK\TOUCHS~1\EnrollWiz.exe"="C:\PAYCLOCK\TOUCHS~1\EnrollWiz.exe:*:Enabled:PayClock Enrollment Wizard"
"C:\PAYCLOCK\TOUCHS~1\TSMgr.exe"="C:\PAYCLOCK\TOUCHS~1\TSMgr.exe:*:Enabled:PayClock TouchStation Manager"
"C:\Program Files\TeleVantage\Client\TVClient.exe"="C:\Program Files\TeleVantage\Client\TVClient.exe:*:Enabled:Vertical TeleVantage ViewPoint"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2010-08-17 11:05:37 ----D---- C:\rsit
2010-08-17 11:05:37 ----D---- C:\Program Files\trend micro
2010-08-16 20:47:50 ----HD---- C:\$AVG
2010-08-09 13:42:53 ----D---- C:\32788R22FWJFW
2010-08-09 11:37:21 ----ASH---- C:\hiberfil.sys

======List of files/folders modified in the last 1 months======

2010-08-17 11:05:38 ----D---- C:\WINDOWS\Prefetch
2010-08-17 11:05:37 ----RD---- C:\Program Files
2010-08-17 10:58:13 ----D---- C:\WINDOWS\Temp
2010-08-17 10:57:32 ----SD---- C:\WINDOWS\Tasks
2010-08-17 10:57:26 ----SHD---- C:\WINDOWS\CSC
2010-08-17 10:57:13 ----D---- C:\WINDOWS\system32\CatRoot2
2010-08-17 10:57:10 ----D---- C:\Program Files\LogMeIn
2010-08-16 20:59:58 ----SHD---- C:\RECYCLER
2010-08-16 20:47:53 ----D---- C:\WINDOWS\system32\wbem
2010-08-16 20:47:53 ----D---- C:\WINDOWS\system32\drivers
2010-08-16 20:47:53 ----D---- C:\WINDOWS
2010-08-16 20:47:53 ----D---- C:\i386
2010-08-16 20:47:50 ----SHD---- C:\System Volume Information
2010-08-12 09:04:05 ----A---- C:\WINDOWS\TASAPI.INI
2010-08-11 20:45:51 ----D---- C:\WINDOWS\security
2010-08-09 15:57:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-08-09 15:56:39 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-08-09 13:42:27 ----D---- C:\WINDOWS\network diagnostic
2010-08-09 12:34:20 ----A---- C:\WINDOWS\win.ini
2010-08-09 11:22:56 ----AC---- C:\WINDOWS\ntbtlog.txt
2010-08-09 11:22:24 ----HDC---- C:\WINDOWS\$NtUninstallKB936021$
2010-08-06 15:39:52 ----D---- C:\Program Files\MUSICMATCH
2010-08-06 15:35:32 ----SHD---- C:\WINDOWS\Installer
2010-08-06 15:35:31 ----HD---- C:\Config.Msi
2010-08-06 15:35:24 ----D---- C:\Program Files\Common Files\Java
2010-08-06 15:35:06 ----D---- C:\WINDOWS\system32
2010-08-06 14:29:27 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-08-06 14:28:09 ----D---- C:\Documents and Settings\tammy\Application Data\Ibit
2010-08-06 14:27:54 ----D---- C:\Documents and Settings\tammy\Application Data\Izyk
2010-08-05 12:43:51 ----D---- C:\WINDOWS\system32\Restore
2010-08-05 12:02:31 ----D---- C:\Program Files\Google
2010-08-05 10:54:11 ----D---- C:\Program Files\MSN Games
2010-08-05 10:50:19 ----D---- C:\Program Files\Coupons
2010-08-05 10:47:10 ----D---- C:\Program Files\Common Files\Corel
2010-08-04 13:23:58 ----D---- C:\Program Files\Internet Explorer
2010-08-04 12:21:40 ----HDC---- C:\WINDOWS\$NtUninstallKB890859$
2010-08-04 09:43:21 ----HD---- C:\WINDOWS\inf
2010-07-22 16:58:09 ----D---- C:\Program Files\SUPERAntiSpyware
2010-07-22 16:46:47 ----RASH---- C:\boot.ini
2010-07-22 16:46:47 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2005-04-25 20640]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-02-07 8552]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-10-14 1302812]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-08-17 1022040]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 tgeiigy;tgeiigy; \??\C:\WINDOWS\system32\drivers\onzmsqfmqtw.sys []
S3 BCM43XX;Wireless-G PCI Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-04-22 265728]
S3 dpK00701;U.are.U Fingerprint Reader Upper Driver; C:\WINDOWS\system32\DRIVERS\dpK00701.sys [2004-10-12 41856]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-10-21 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-10-21 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-21 21568]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 TOUCHDSP;TouchStation LCD/LED USB driver; C:\WINDOWS\System32\Drivers\TOUCHDSP.sys [2006-03-23 48128]
S3 TOUCHSTA;TOUCHSTA; C:\WINDOWS\system32\drivers\TouchSta.sys [2006-03-23 20736]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 UsbdpFP;U.are.U Fingerprint Reader Class Driver; C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-10-12 45056]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DpHost;User Authentication Manager; C:\Program Files\DigitalPersona\Bin\DpHost.exe [2003-09-28 237568]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
R2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2010-06-09 116104]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 PayClockServer;PayClock Database Service; C:\PAYCLOCK\BTENG32M.EXE [2006-01-15 200763]
R2 SpyHunter 4 Service;SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [2010-05-18 327064]
R2 TouchStationServer;PayClock TouchStation Service; C:\PAYCLOCK\TOUCHS~1\BTENG32M.EXE [2006-01-15 200763]
R2 TvWksSvc;TeleVantage Workstation Service; C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe [2006-07-11 102400]
R2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2005-03-11 455632]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 gupdate1c9edbab4cbc1f7;Google Update Service (gupdate1c9edbab4cbc1f7); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-06-15 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-15 183280]
S2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-07-24 63040]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2010-04-09 79360]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2009-02-11 14336]

-----------------EOF-----------------

Edited by Mark Meriaux, 17 August 2010 - 10:20 AM.


#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:10:05 AM

Posted 17 August 2010 - 12:25 PM

  1. Please download Trend Micro - HijackThis.
  2. Double click HJTInstall.exe to begin installation.
  3. Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  4. Click Install.
  5. A shortcut will be created on your Desktop and HijackThis will run automatically.
  6. You will need to accept the EULA, if it appears, to be able to use the tool.
  7. When HijackThis opens, click on the Do a system scan and save a log file button.
  8. When HijackThis has finished scanning, a window entitled hijackthis.log will open. When you close this window, the log will be saved into the HijackThis folder.
  9. If needed, see TrendMicro™ HijackThis™ Quick Start Guide
  10. Copy and paste this log into your next reply.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 17 August 2010 - 12:58 PM

Yeah, sorry I just noticed that the previous scan skipped the HJT portion (I have temporarily taken it off our network).
Here's the HJT log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:56:04 PM, on 8/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PAYCLOCK\BTENG32M.EXE
C:\PAYCLOCK\TOUCHS~1\BTENG32M.EXE
C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crowecounter.moraware.net/crowecoun...mp;customerid=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [iqtpdvti] C:\Documents and Settings\NetworkService\Local Settings\Application Data\evueeoouk\mcyvdiftssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iujmybur] C:\Documents and Settings\NetworkService\Local Settings\Application Data\eksdeadhf\msxwpqgtssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [iqtpdvti] C:\Documents and Settings\NetworkService\Local Settings\Application Data\evueeoouk\mcyvdiftssd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: EmailsAgentShortcut.lnk = C:\Program Files\EmailsAgent\EmailsAgent\EmailsAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178737890861
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.crowecounter.com/Remote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crowe.local
O17 - HKLM\Software\..\Telephony: DomainName = crowe.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD41251E-4B03-4898-97B7-74595F808687}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: User Authentication Manager (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Update Service (gupdate1c9edbab4cbc1f7) (gupdate1c9edbab4cbc1f7) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PayClock Database Service (PayClockServer) - MLB Computer Consulting - C:\PAYCLOCK\BTENG32M.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: PayClock TouchStation Service (TouchStationServer) - MLB Computer Consulting - C:\PAYCLOCK\TOUCHS~1\BTENG32M.EXE
O23 - Service: TeleVantage Workstation Service (TvWksSvc) - Vertical Communications, Inc. - C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8478 bytes


#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:10:05 AM

Posted 18 August 2010 - 05:48 AM

Please download ComboFix.
Alternate Link 1
Alternate Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  1. Double click on ComboFix and follow the prompts.
  2. As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  3. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  4. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  5. After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    QUOTE
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware.
    Click 'No' to exit.
  6. Click Yes, to continue scanning for malware.
  7. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  8. Notes:
    • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
    • ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
    • ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post:
  • C:\ComboFix.txt (the log from ComboFix)
  • a new HijackThis log

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 18 August 2010 - 11:03 AM

ComboFix won't run........I tried to copy down the error:
Windows can not find "GRPCONV" file........, then BSOD:
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0x0000005 (0x00000000 0x00000000).
The system has been shut down.


Here's the windows startup error that comes up.
If I click OK or Cancel........BSOD. If I ignore it, the computer runs with limited (slow) productivity.
Attached File  ErrorScreen.JPG   17.49KB   5 downloads

Edited by Mark Meriaux, 18 August 2010 - 03:19 PM.


#8 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 18 August 2010 - 03:32 PM

I restarted the machine in Safe Mode...........ComboFix is running now (hopefully without any glitches).
Running without Windows Recovery Console (no internet connection on the machine).

I'll post the log shortly.

Edited by Mark Meriaux, 18 August 2010 - 04:20 PM.


#9 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 18 August 2010 - 04:19 PM

ComboFix 10-08-17.04 - Administrator 08/18/2010 16:46:21.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.267 [GMT -4:00]
Running from: c:\documents and settings\tammy\Desktop\SueboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{98D1D55B-73C5-40CD-B96C-8E5C8F08A57B}
c:\documents and settings\Administrator\Local Settings\Application Data\{98D1D55B-73C5-40CD-B96C-8E5C8F08A57B}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{98D1D55B-73C5-40CD-B96C-8E5C8F08A57B}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{98D1D55B-73C5-40CD-B96C-8E5C8F08A57B}\install.rdf
c:\documents and settings\tammy\g2mdlhlpx.exe
c:\program files\Common Files\wnsxs~1
c:\temp\isgTi19
c:\temp\isgTi19\lPig.log
c:\windows\fuqamah.dll
c:\windows\system32\bohhnxgi.ini
c:\windows\system32\bszip.dll
c:\windows\system32\cccdd.ini
c:\windows\system32\cccdd.ini2
c:\windows\system32\cxafpqrs.ini
c:\windows\system32\ecjeodly.ini
c:\windows\system32\fgtrafeh.ini
c:\windows\system32\gimyddhk.ini
c:\windows\system32\hmhjpaaa.ini
c:\windows\system32\hprpqdno.ini
c:\windows\system32\kskxebsy.ini
c:\windows\system32\lnkmaqhu.ini
c:\windows\system32\mguouivw.ini
c:\windows\system32\qoofjxyo.ini
c:\windows\system32\vyimwtkq.ini
c:\windows\system32\xuiggife.ini
c:\windows\system32\zip32.dll
c:\windows\wiaserviv.log
c:\windows\wutuh._sy
c:\windows\xisovyjuzi.dll
c:\windows\yrivuw._sy

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF
-------\Legacy_TCPSR


((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-18 20:53 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-08-18 20:53 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-08-18 20:27 . 2010-08-18 20:27 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-17 15:05 . 2010-08-17 17:55 -------- d-----w- c:\program files\trend micro
2010-08-17 15:05 . 2010-08-17 15:05 -------- d-----w- C:\rsit
2010-08-17 00:47 . 2010-08-17 00:47 -------- d-----w- C:\$AVG
2010-08-12 13:04 . 2010-08-12 13:04 -------- d-----w- c:\documents and settings\tammy\WINDOWS
2010-08-08 17:25 . 2010-08-08 17:25 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-08-07 00:48 . 2010-08-09 15:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\eksdeadhf
2010-08-07 00:48 . 2010-08-09 15:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\evueeoouk
2010-07-21 15:58 . 2010-07-21 15:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 15:44 . 2009-02-10 20:59 -------- d-----w- c:\program files\LogMeIn
2010-08-06 19:39 . 2006-02-08 03:25 -------- d-----w- c:\program files\MUSICMATCH
2010-08-06 19:35 . 2006-02-08 03:20 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 16:02 . 2006-02-08 03:36 -------- d-----w- c:\program files\Google
2010-08-05 14:54 . 2006-06-09 15:54 -------- d-----w- c:\program files\MSN Games
2010-08-05 14:50 . 2008-12-09 18:04 -------- d-----w- c:\program files\Coupons
2010-08-05 14:47 . 2006-02-08 03:31 -------- d-----w- c:\program files\Common Files\Corel
2010-07-22 20:58 . 2010-06-29 00:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-29 00:29 . 2010-06-29 00:29 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-29 00:29 . 2010-06-29 00:29 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-29 00:28 . 2010-06-29 00:28 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-29 00:27 . 2010-06-29 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-29 00:27 . 2010-06-29 00:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-29 00:14 . 2010-06-29 00:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-29 00:14 . 2008-08-20 12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 19:08 . 2006-02-08 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-06-09 21:54 . 2009-02-10 20:59 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 21:54 . 2009-02-10 20:59 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-09 21:54 . 2009-02-10 20:59 87424 ----a-w- c:\windows\system32\LMIinit.dll
2009-08-13 19:07 . 2009-08-13 19:07 17594 -c--a-w- c:\program files\Common Files\pucugo._sy
2009-08-13 19:07 . 2009-08-13 19:07 14592 -c--a-w- c:\program files\Common Files\kewycezag.exe
2009-08-13 19:07 . 2009-08-13 19:07 13545 -c--a-w- c:\program files\Common Files\eripuwe.inf
2009-08-09 19:28 . 2009-08-09 19:28 17573 -c--a-w- c:\program files\Common Files\pexubyrym.inf
2009-08-09 19:28 . 2009-08-09 19:28 15185 ----a-w- c:\program files\Common Files\jupojofi.dll
2009-08-09 19:28 . 2009-08-09 19:28 16910 -c--a-w- c:\program files\Common Files\wibiroguma.bin
2009-08-09 19:28 . 2009-08-09 19:28 10108 -c--a-w- c:\program files\Common Files\ulyjyxuty.dl
2009-08-06 14:18 . 2009-08-06 14:18 10941 -c--a-w- c:\program files\Common Files\iqes.dll
2009-08-06 14:18 . 2009-08-06 14:18 11198 -c--a-w- c:\program files\Common Files\ybivo.reg
2001-12-03 21:09 . 2007-04-13 13:52 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
2009-07-13 15:15 . 2006-02-16 19:29 56 -csh--r- c:\windows\system32\A892EC4C7E.sys
2009-07-13 15:15 . 2006-02-16 19:29 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EmailsAgentShortcut.lnk - c:\program files\EmailsAgent\EmailsAgent\EmailsAgent.exe [2010-3-9 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 21:54 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2006-02-08 03:09 61440 ----a-w- c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-09 01:20 8192 -c--a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-09-09 01:20 110592 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 16:26 26112 -c--a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-02-08 03:28 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-08 03:28 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
2010-05-18 21:04 3021720 ----a-w- c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-06-15 13:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\PAYCLOCK\\Pcscmgr.exe"=
"c:\\Program Files\\TeleVantage\\Client\\TVClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\PAYCLOCK\\TERMMGR.exe"=
"c:\\PAYCLOCK\\RENYRUN.exe"=
"c:\\PAYCLOCK\\Reny.exe"=
"c:\\PAYCLOCK\\dbmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:DCOM resolver

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 PayClockServer;PayClock Database Service;c:\payclock\Bteng32m.exe [5/3/2007 10:41 AM 200763]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [5/18/2010 5:06 PM 327064]
R2 TouchStationServer;PayClock TouchStation Service;c:\payclock\TOUCHS~1\BTENG32M.EXE [5/3/2007 11:00 AM 200763]
R2 TvWksSvc;TeleVantage Workstation Service;c:\program files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe [7/11/2006 4:40 AM 102400]
S2 gupdate1c9edbab4cbc1f7;Google Update Service (gupdate1c9edbab4cbc1f7);c:\program files\Google\Update\GoogleUpdate.exe [6/15/2009 9:10 AM 133104]
S2 tgeiigy;tgeiigy;\??\c:\windows\system32\drivers\onzmsqfmqtw.sys --> c:\windows\system32\drivers\onzmsqfmqtw.sys [?]
S3 dpK00701;U.are.U Fingerprint Reader Upper Driver;c:\windows\system32\drivers\dpK00701.sys [10/12/2004 3:51 PM 41856]
S3 TOUCHDSP;TouchStation LCD/LED USB driver;c:\windows\system32\drivers\TOUCHDSP.sys [5/3/2007 10:51 AM 48128]
S3 TOUCHSTA;TOUCHSTA;c:\windows\system32\drivers\TouchSta.SYS [5/9/2007 12:50 PM 20736]
S3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [10/12/2004 3:53 PM 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37b7c26f-b4f6-11dd-9e28-000c41651900}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cUEGAat.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7594e746-0f18-11de-9e5b-000c41651900}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-15 13:09]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 13:10]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 13:10]

2010-08-12 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2009-12-09 13:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://crowecounter.moraware.net/crowecounter/default.asp?wp=16&customerid=3
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
Trusted Zone: musicmatch.com\online
TCP: {BD41251E-4B03-4898-97B7-74595F808687} = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-ati2jfxx.sys
MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-e8c526bf - c:\windows\system32\jxtgvjnc.dll
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-qqqz - c:\progra~1\COMMON~1\qqqz\qqqzm.exe
MSConfigStartUp-Router - c:\program files\Router\Router.exe
MSConfigStartUp-runner1 - c:\windows\mrofinu572.exe
MSConfigStartUp-SpyShredder - c:\program files\SpyShredder\SpyShredder.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-Windows update loader - c:\windows\xpupdate.exe
MSConfigStartUp-XP Antivirus - c:\program files\XP Antivirus\xpa.exe
AddRemove-{03CE1BCB-03F5-4C6A-B37E-69799AA3C544} - c:\program files\Enigma Software Group\SpyHunter\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 16:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PayClockServer]
"ImagePath"="c:\payclock\BTENG32M.EXE /SCN:PayClockServer"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TouchStationServer]
"ImagePath"="c:\payclock\TOUCHS~1\BTENG32M.EXE /SCN:TouchStationServer"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(932)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DigitalPersona\Bin\DpHost.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-18 17:07:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 21:07

Pre-Run: 43,519,164,416 bytes free
Post-Run: 43,240,423,424 bytes free

- - End Of File - - F2D9475393A70CBF44002DEE31955F86
************************************************************************************************
************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:10:43 PM, on 8/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PAYCLOCK\BTENG32M.EXE
C:\PAYCLOCK\TOUCHS~1\BTENG32M.EXE
C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\EmailsAgent\EmailsAgent\EmailsAgent.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crowecounter.moraware.net/crowecoun...mp;customerid=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: EmailsAgentShortcut.lnk = C:\Program Files\EmailsAgent\EmailsAgent\EmailsAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178737890861
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.crowecounter.com/Remote/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crowe.local
O17 - HKLM\Software\..\Telephony: DomainName = crowe.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD41251E-4B03-4898-97B7-74595F808687}: NameServer = 192.168.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: User Authentication Manager (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Update Service (gupdate1c9edbab4cbc1f7) (gupdate1c9edbab4cbc1f7) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PayClock Database Service (PayClockServer) - MLB Computer Consulting - C:\PAYCLOCK\BTENG32M.EXE
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: PayClock TouchStation Service (TouchStationServer) - MLB Computer Consulting - C:\PAYCLOCK\TOUCHS~1\BTENG32M.EXE
O23 - Service: TeleVantage Workstation Service (TvWksSvc) - Vertical Communications, Inc. - C:\Program Files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7802 bytes


Things are looking better already!!
I think that I could now logon to our network/internet connection and run a supplemental ComboFix scan and installing Windows Recovery Console.
I'll wait for your instructions, however.

Edited by Mark Meriaux, 18 August 2010 - 04:26 PM.


#10 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:10:05 AM

Posted 18 August 2010 - 04:32 PM

I do not see any obvious signs of malware. How is your computer behaving?
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#11 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 19 August 2010 - 08:37 AM

Viruses and malware appear to be gone.

Winlogon is working correctly.

Standalone programs working..............but

Must have lost something with networking/connectivity. This desktop has both an integral network card, and a PCI wireless card.
Both appear in hardware profiles, but do not ever connect.
The network card says "Limited or No Connectivity" - I have tried connection locations and different working cables.
When I try to activate/renew the wireless card, it goes all the way to "Aquiring Network Address", but never connects.

Also, in Security Center, computer believes that McAffee ViruScan is installed and running.
I do not believe McAffee is installed on the machine?
In Add/Remove programs, McAffee is not there.
Firewall also is turned OFF, and Windows Firewall can not be enabled.

Edited by Mark Meriaux, 19 August 2010 - 09:43 AM.


#12 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:10:05 AM

Posted 19 August 2010 - 01:43 PM

Let's remove ComboFix.
  1. Click START > RUN.
  2. Type Combofix /u in the run box and click [b]OK.
This procedure will delete the following:
  • ComboFix and its associated files and folders, VundoFix backups, the C:\Deckard folder and the C:_OtMoveIt folder, if present.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
Please run this program.
Step 1

Often redirection is caused by a DNS and Hosts file hijack. Flush and restore both.

Clean Hosts File
    * Access folder C:\WINDOWS\SYSTEM32\DRIVERS\ETC in Explorer.
  1. Open file HOSTS in Notepad . Before making changes, do a Save As and save a backup of this file as HOSTS.BAK .
  2. Reopen the HOSTS file.
  3. Delete all entries in this file except for the following and any other entries you are sure have legitimate uses:

    127.0.0.1 localhost
  4. Save the file.
Note: If you use customized Hosts Files such as the mvps hosts file, you will need to download and install it again. Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE.

Step 2

Flush DNS:
  1. Open up a command prompt Start > Run > "cmd.exe" > OK.
  2. Type in the command ipconfig /flushdns.
Step 3

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
How is your computer behaving now?

Edited by suebaby41, 19 August 2010 - 01:45 PM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#13 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 19 August 2010 - 02:10 PM

I started removing ComboFix (pre step 1), and got:
QUOTE
ComboFix has detected the following real time scanner(s) to be active:
antivirus: McAfee VirusScan

Before clicking OK, I wanted to do a more in-depth search on running processes (by looking at Task Manager).

I found the following "questionable" processes active:
services.exe

I did not see any running process listed as any known McAfee program/process???

I went ahead and clicked OK in ComboFix......again without Windows Recovery Console (no internet connection).
Will post results shortly...

Edited by Mark Meriaux, 19 August 2010 - 02:22 PM.


#14 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:10:05 AM

Posted 19 August 2010 - 02:26 PM

To remove McAfee, try this program.
  1. Please download MCPR removal tool.
  2. Click Save and save the file to your desktop.
  3. Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool. Windows Vista users will have to right-click on the file and select Run as Administrator.
  4. Restart your computer after receiving the message CleanUp Successful. Your McAfee product will not be fully removed until the system is restarted.
  5. Click Start > My Computer, double-click on Drive C.
  6. Double-click on Program Files.
  7. Look for any McAfee product folders that remain. Right-click on them and choose Delete.
  8. Close My Computer and other folders.

services.exe is a legitimate program.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#15 Mark Meriaux

Mark Meriaux
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, Georgia, USA
  • Local time:11:05 AM

Posted 19 August 2010 - 02:42 PM

I'm running steps 1-2-3 and getting rid of residual McAfee stuff. In the meantime, here's the recent ComboFix log:

ComboFix 10-08-17.04 - tammy 08/19/2010 15:22:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.122 [GMT -4:00]
Running from: c:\documents and settings\tammy\Desktop\SueboFix.exe
Command switches used :: /u
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\tammy\LOCALS~1\Temp\install_flash_player.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-18 20:53 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-08-18 20:53 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-08-18 20:30 . 2010-08-18 21:07 -------- d-----w- C:\SueboFix
2010-08-18 20:27 . 2010-08-18 20:27 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-17 15:05 . 2010-08-17 17:55 -------- d-----w- c:\program files\trend micro
2010-08-17 15:05 . 2010-08-17 15:05 -------- d-----w- C:\rsit
2010-08-17 00:47 . 2010-08-17 00:47 -------- d-----w- C:\$AVG
2010-08-12 13:04 . 2010-08-12 13:04 -------- d-----w- c:\documents and settings\tammy\WINDOWS
2010-08-08 17:25 . 2010-08-08 17:25 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-08-07 00:48 . 2010-08-09 15:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\eksdeadhf
2010-08-07 00:48 . 2010-08-09 15:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\evueeoouk
2010-07-21 15:58 . 2010-07-21 15:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-19 13:39 . 2009-02-10 20:59 -------- d-----w- c:\program files\LogMeIn
2010-08-06 19:39 . 2006-02-08 03:25 -------- d-----w- c:\program files\MUSICMATCH
2010-08-06 19:35 . 2006-02-08 03:20 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 16:02 . 2006-02-08 03:36 -------- d-----w- c:\program files\Google
2010-08-05 14:54 . 2006-06-09 15:54 -------- d-----w- c:\program files\MSN Games
2010-08-05 14:50 . 2008-12-09 18:04 -------- d-----w- c:\program files\Coupons
2010-08-05 14:47 . 2006-02-08 03:31 -------- d-----w- c:\program files\Common Files\Corel
2010-07-22 20:58 . 2010-06-29 00:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-29 00:29 . 2010-06-29 00:29 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-29 00:29 . 2010-06-29 00:29 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-29 00:28 . 2010-06-29 00:28 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-29 00:27 . 2010-06-29 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-29 00:27 . 2010-06-29 00:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-29 00:14 . 2010-06-29 00:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-29 00:14 . 2008-08-20 12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-22 19:08 . 2006-02-08 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-06-09 21:54 . 2009-02-10 20:59 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 21:54 . 2009-02-10 20:59 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-09 21:54 . 2009-02-10 20:59 87424 ----a-w- c:\windows\system32\LMIinit.dll
2009-08-13 19:07 . 2009-08-13 19:07 17594 -c--a-w- c:\program files\Common Files\pucugo._sy
2009-08-13 19:07 . 2009-08-13 19:07 14592 -c--a-w- c:\program files\Common Files\kewycezag.exe
2009-08-13 19:07 . 2009-08-13 19:07 13545 -c--a-w- c:\program files\Common Files\eripuwe.inf
2009-08-09 19:28 . 2009-08-09 19:28 17573 -c--a-w- c:\program files\Common Files\pexubyrym.inf
2009-08-09 19:28 . 2009-08-09 19:28 15185 ----a-w- c:\program files\Common Files\jupojofi.dll
2009-08-09 19:28 . 2009-08-09 19:28 16910 -c--a-w- c:\program files\Common Files\wibiroguma.bin
2009-08-09 19:28 . 2009-08-09 19:28 10108 -c--a-w- c:\program files\Common Files\ulyjyxuty.dl
2009-08-06 14:18 . 2009-08-06 14:18 10941 -c--a-w- c:\program files\Common Files\iqes.dll
2009-08-06 14:18 . 2009-08-06 14:18 11198 -c--a-w- c:\program files\Common Files\ybivo.reg
2001-12-03 21:09 . 2007-04-13 13:52 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
2009-07-13 15:15 . 2006-02-16 19:29 56 -csh--r- c:\windows\system32\A892EC4C7E.sys
2009-07-13 15:15 . 2006-02-16 19:29 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-08-18_20.57.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-19 14:34 . 2010-08-19 14:34 16384 c:\windows\temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EmailsAgentShortcut.lnk - c:\program files\EmailsAgent\EmailsAgent\EmailsAgent.exe [2010-3-9 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 21:54 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2006-02-08 03:09 61440 ----a-w- c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2005-05-15 08:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-09 01:20 8192 -c--a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2005-09-09 01:20 110592 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 16:26 26112 -c--a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-02-08 03:28 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-08 03:28 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
2010-05-18 21:04 3021720 ----a-w- c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-06-15 13:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\PAYCLOCK\\Pcscmgr.exe"=
"c:\\Program Files\\TeleVantage\\Client\\TVClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\PAYCLOCK\\TERMMGR.exe"=
"c:\\PAYCLOCK\\RENYRUN.exe"=
"c:\\PAYCLOCK\\Reny.exe"=
"c:\\PAYCLOCK\\dbmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:DCOM resolver

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 PayClockServer;PayClock Database Service;c:\payclock\Bteng32m.exe [5/3/2007 10:41 AM 200763]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [5/18/2010 5:06 PM 327064]
R2 TouchStationServer;PayClock TouchStation Service;c:\payclock\TOUCHS~1\BTENG32M.EXE [5/3/2007 11:00 AM 200763]
R2 TvWksSvc;TeleVantage Workstation Service;c:\program files\Common Files\Artisoft\TeleVantage\TvWksSvc.exe [7/11/2006 4:40 AM 102400]
S2 gupdate1c9edbab4cbc1f7;Google Update Service (gupdate1c9edbab4cbc1f7);c:\program files\Google\Update\GoogleUpdate.exe [6/15/2009 9:10 AM 133104]
S2 tgeiigy;tgeiigy;\??\c:\windows\system32\drivers\onzmsqfmqtw.sys --> c:\windows\system32\drivers\onzmsqfmqtw.sys [?]
S3 dpK00701;U.are.U Fingerprint Reader Upper Driver;c:\windows\system32\drivers\dpK00701.sys [10/12/2004 3:51 PM 41856]
S3 TOUCHDSP;TouchStation LCD/LED USB driver;c:\windows\system32\drivers\TOUCHDSP.sys [5/3/2007 10:51 AM 48128]
S3 TOUCHSTA;TOUCHSTA;c:\windows\system32\drivers\TouchSta.SYS [5/9/2007 12:50 PM 20736]
S3 UsbdpFP;U.are.U Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [10/12/2004 3:53 PM 45056]
.
Contents of the 'Scheduled Tasks' folder

2010-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-15 13:09]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 13:10]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-15 13:10]

2010-08-12 c:\windows\Tasks\SpyHunter Scanner.job
- c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2009-12-09 13:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://crowecounter.moraware.net/crowecounter/default.asp?wp=16&customerid=3
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
Trusted Zone: musicmatch.com\online
TCP: {BD41251E-4B03-4898-97B7-74595F808687} = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 15:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PayClockServer]
"ImagePath"="c:\payclock\BTENG32M.EXE /SCN:PayClockServer"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TouchStationServer]
"ImagePath"="c:\payclock\TOUCHS~1\BTENG32M.EXE /SCN:TouchStationServer"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-08-19 15:37:59
ComboFix-quarantined-files.txt 2010-08-19 19:37

Pre-Run: 43,215,183,872 bytes free
Post-Run: 43,731,886,080 bytes free

- - End Of File - - 0769AF190384CC9AE90CACFC067D70EA





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users