 Unknown Files aftre Vundo remove, I think Vundo removed, but unknown files found in C:\ |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Dec 24 2008, 07:13 AM
Post
#1
|
|
|
Member  Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285  |
I 've spent last two days removing something, identified as Vundo, Sheur, Generic12 at various times/stages. As of this AM, have been able to run AdAware, McAffee, Combofix all with no threats IDed. Have not reconnected to net yet, other than to download latest McAffee and AdAware filters. HOWEVER, Combofix identifies several files I can't identify, or find any info on on the net- for example... zycahufi.bat- can't read this one ojugyz.exe ezicosoqa.sys SO, I'd like to get a reading on whether I'm really clean or not. HJT log below. Thanks so much for this service, and this site! DP Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:49:40 AM, on 12/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\DELLMMKB.EXE C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Documents and Settings\user1\Desktop\RSIT.exe C:\HiJackThis\user1.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.activation.screenname", "dellphinus"); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\Program Files\\Netscape"); user_pref("browser.display.screen_resolution", 96); user_pref("browser.download.dir", "C:\\firefox"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.download.progressDnlgDialog.dontAskForLaunch", true); user_pref("browser.download.save_converter_index", 2); user_pref("browser.downloadmanager.behavior", 1); user_pref("browser.hi N3 - Netscape 7: # Mozilla User Preferences /* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */ user_pref("aim.session.firsttime", false); user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.activation.screenname", "dellphinus"); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.cache.disk.parent_directory", "C:\\Program Files\\Netscape"); user_pref("browser.display.screen_resolution", 96); user_pref("browser.download.dir", "C:\\firefox"); user_pref("browser.download.progressDnldDialog.keepAlive", false); user_pref("browser.download.progressDnlgDialog.dontAskForLaunch", true); user_pref("browser.download.save_converter_index", 2); user_pref("browser.downloadmanager.behavior", 1); user_pref("browser.hi O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (file missing) O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office2K\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office2K\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Deskshop - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Discover Deskshop\Deskshop.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397426484 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397286859 O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boeing.webex.com/client/T23LBA/webex/ieatgpc.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 10633 bytes |
 |
 
|
|
Dec 31 2008, 02:58 PM
Post
#2
|
|
 Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello.
Sorry for the wait. Disable Realtime Protection Antimalware programs can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how. To disable McAfee:
Download and Run ComboFix Download Combofix by sUBs from any of the links below, and save it to your desktop. Link 1, Link 2, Link 3
Please also include a new HijackThis log. With Regards, The Panda -------------------- |
|
|
|
sign. 
|
Jan 1 2009, 09:23 AM
Post
#3
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
Greetings Panda, looks like you folks have been pretty busy over the holidays...
REALLY appreciate the service you folks provide, thanks! Since the first post I've added Proventia Firewall, and disabled Widows firewall. Also running AdAware and Malware scans daily. All have been clean. All suspicious or un-identifiable files I've found I added a ".QUAR" to, and removed the file suffix "." so unknown.dll becomes unknowndll.QUAR only suspicious activities now are an occasional unexplainable ! sound, usually shortly after a reboot/restart, and an occasional slowing of opening and populating a Windows Exporer window- may be due to McAfee and Proventia activity? I also have the logs from the scans before, durign and after the "cleaning", if needed. Logs as requested: ComboFix 08-12-31.01 - Dennis 2009-01-01 7:33:03.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.549 [GMT -6:00] Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 ))))))))))))))))))))))))))))))) . 2008-12-28 12:18 . 2008-12-28 12:21 <DIR> d-------- c:\documents and settings\Dennis\SecurityScans 2008-12-26 07:51 . 2008-12-26 07:51 <DIR> d-------- c:\program files\UninstallScripts 2008-12-26 07:50 . 2008-12-26 07:50 <DIR> d-------- c:\program files\ISS 2008-12-26 07:50 . 2007-01-16 14:37 197,106 --a------ c:\windows\system32\drivers\Blackcat.sys 2008-12-26 07:50 . 2006-09-13 16:59 76,849 --a------ c:\windows\system32\drivers\MakoNT.sys 2008-12-26 07:50 . 2007-01-16 14:37 47,788 --a------ c:\windows\system32\drivers\RapDrv.sys 2008-12-26 07:50 . 2008-12-26 07:50 256 --a------ c:\windows\system32\imagehlp_dll.iss 2008-12-26 07:50 . 2008-12-26 07:51 28 --a------ c:\windows\system32\ole32_dll.iss 2008-12-26 07:50 . 2008-12-26 07:50 28 --a------ c:\windows\system32\lz32_dll.iss 2008-12-26 07:50 . 2008-12-26 07:50 28 --a------ c:\windows\system32\gdi32_dll.iss 2008-12-26 07:50 . 2008-12-26 07:50 28 --a------ c:\windows\system32\comdlg32_dll.iss 2008-12-25 08:14 . 2008-12-25 08:14 <DIR> d-------- c:\program files\Bonjour 2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\program files\iPod 2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-24 06:48 . 2008-12-24 06:56 162 --ah----- c:\windows\~$cahufibat.quar 2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- C:\rsit 2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- c:\program files\trend micro 2008-12-23 17:35 . 2008-12-23 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-23 08:28 . 2008-12-27 06:08 <DIR> d-------- C:\HiJackThis 2008-12-23 06:58 . 2000-08-31 08:00 28,672 --a------ c:\windows\NIRCMDexe.quar 2008-12-22 21:52 . 2008-12-22 21:52 <DIR> d-------- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP 2008-12-22 21:42 . 2008-12-22 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee 2008-12-22 21:42 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll 2008-12-22 21:42 . 2008-05-22 20:50 174,952 --a------ c:\windows\system32\drivers\mfehidk.sys 2008-12-22 21:42 . 2008-05-22 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys 2008-12-22 21:42 . 2008-05-22 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys 2008-12-22 21:42 . 2008-05-22 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys 2008-12-22 21:42 . 2008-05-22 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys 2008-12-22 21:42 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig 2008-12-22 21:41 . 2008-12-22 21:42 <DIR> d-------- c:\program files\McAfee 2008-12-22 21:41 . 2008-12-22 21:41 <DIR> d-------- c:\program files\Common Files\McAfee 2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7 2008-12-22 21:26 . 2008-12-22 21:26 <DIR> d-------- c:\windows\Sun 2008-12-22 18:39 . 2008-12-22 21:28 <DIR> d-------- c:\documents and settings\Administrator.DELL4500 2008-12-22 15:39 . 2008-12-22 15:39 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-22 15:39 . 2008-12-22 15:39 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-22 08:22 . 2008-12-22 08:22 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes 2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe 2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll 2008-12-09 15:32 . 2008-12-09 15:32 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Viewpoint 2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\Dennis\Application Data\PC Suite 2008-12-06 11:20 . 2008-12-06 11:58 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Nokia 2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite 2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\PC Connectivity Solution 2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\DIFX 2008-12-06 11:17 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys 2008-12-06 11:16 . 2008-12-06 12:01 <DIR> d-------- c:\program files\Nokia 2008-12-06 11:16 . 2008-05-07 07:38 90,624 --a------ c:\windows\system32\nmwcdcls.dll 2008-12-06 11:15 . 2008-12-06 11:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations 2008-12-06 10:49 . 2008-12-06 10:49 <DIR> d-------- C:\Output 2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys 2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\dllcache\usbser.sys 2008-12-01 16:42 . 2008-12-01 16:43 <DIR> d-------- C:\RAZR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-31 22:45 --------- d-----w c:\program files\quarantine 2008-12-25 14:13 --------- d-----w c:\program files\iTunes 2008-12-25 14:11 --------- d-----w c:\program files\QuickTime 2008-12-25 13:48 --------- d-----w c:\program files\Apple Software Update 2008-12-23 23:35 --------- d-----w c:\program files\Lavasoft 2008-12-23 23:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-23 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Network Associates 2008-12-23 03:38 --------- d-----w c:\program files\Common Files\Network Associates 2008-12-23 03:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-22 21:39 --------- d-----w c:\program files\Java 2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-12-07 23:18 --------- d-----w c:\program files\Netscape 2008-12-06 16:57 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-04 01:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-04 01:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-11-20 01:18 --------- d--h--w c:\program files\Zero G Registry 2008-11-20 00:50 --------- d-----w c:\program files\Aglare Mp3 to Amr Converter 2008-11-19 23:47 --------- d-----w c:\program files\AviSynth 2.5 2008-11-19 23:46 --------- d-----w c:\program files\eRightSoft 2008-11-07 20:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-10-29 22:20 19,070 ----a-w c:\windows\iwyxusicom.quar.pif 2008-10-29 22:20 18,968 ----a-w c:\program files\Common Files\eduv._dl 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe 2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe 2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll 2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe 2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll 2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll 2003-12-10 22:54 83,728 ----a-w c:\documents and settings\Dennis\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot_2008-12-26_16.06.36.06 ))))))))))))))))))))))))))))))))))))))))) . - 2006-09-11 10:40:36 484,272 ----a-w c:\windows\Downloaded Program Files\isusweb.dll + 2007-08-30 16:50:50 475,816 ----a-w c:\windows\Downloaded Program Files\isusweb.dll - 2008-12-25 19:25:25 24,797 ----a-w c:\windows\system32\tablet.dat + 2009-01-01 13:20:43 24,797 ----a-w c:\windows\system32\tablet.dat + 2009-01-01 13:19:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_61c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE] "nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "vidc.uyvy"= vvlcodec.dll "vidc.yuy2"= vvlcodec.dll "msvideo3"= STVqx3tg.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk backup=c:\windows\pss\Forget Me Not.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.exe] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.exe backup=c:\windows\pss\RapidRes.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.ini] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.ini backup=c:\windows\pss\RapidRes.iniCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk.disabled] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk.disabled backup=c:\windows\pss\Greetings Workshop Reminders.lnk.disabledStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "GEARSecurity"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMhelpr.sys [2004-03-21 4064] R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2002-10-15 144768] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2002-10-15 545088] S0 black;black;c:\windows\system32\drivers\BlackCat.sys [2008-12-26 197106] S2 BlackICE;BlackICE;"c:\program files\ISS\Proventia Desktop\blackd.exe" [2008-12-26 2011473] S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [2008-12-26 426333] S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\Drivers\dsreader.sys [2006-07-21 19677] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [] S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2008-12-26 76849] S3 mgau;mgau;c:\windows\system32\DRIVERS\mgaum.sys [2008-06-28 320384] S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-12-26 47788] S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.sys [2003-03-03 131776] S3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2007-07-13 727908] S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2007-07-13 44928] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee0a10f7-4367-11dd-9c88-da6084cae3c4}] \Shell\AutoRun\command - D:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-01-01 c:\windows\Tasks\gtrgginf.job - c:\windows\system32\rundll32.exe [2004-08-04 01:56] 2009-01-01 c:\windows\Tasks\hufjijnw.job - c:\windows\system32\rundll32.exe [2004-08-04 01:56] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.gtec.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\Office2K\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.gtec.com FF - component: c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-01 07:35:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-01-01 7:37:19 combofix run 1_log.txt 2008-12-23 13:19:06 ComboFix-quarantined-files.txt 2009-01-01 13:37:03 ComboFix.txt 2008-12-23 13:26:17 ComboFix2.txt 2009-01-01 13:10:47 ComboFix3.txt 2008-12-26 22:07:39 ComboFix4.txt 2008-12-24 12:06:42 ComboFix5.txt 2009-01-01 13:32:11 Pre-Run: 207,577,509,888 bytes free Post-Run: 207,560,933,376 bytes free 258 --- E O F --- 2008-12-14 17:58:59 This post has been edited by PropagandaPanda: Jan 1 2009, 09:37 AM
Reason for edit: Removed dupe log.
|
|
|
|
|
Jan 1 2009, 09:39 AM
Post
#4
|
|
|
Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello dellphinus.
Looks like soome leftovers of an infection. Not a bad job identifiying the baddies. Please make sure your protection is disabled before we begin. Run ComboFix with CFScript We will run ComboFix again with a script.
Do not mouseclick ComboFix's window while it's running. That may cause it to stall Upload Samples Collected by ComboFix When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
If you already have MBAM installed, simply update and run a quick scan. Please download Malwarebytes Anti-Malware setup and to your desktop. alternate download link 1 alternate download link 2 Follow the directions given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
Re-enable your protection at this time. Please post back with: -the ComboFix log -the MalwareBytes scan log -a new HijackThis scan log With Regards, The panda This post has been edited by PropagandaPanda: Jan 1 2009, 09:39 AM -------------------- |
|
|
|
|
Jan 1 2009, 10:19 AM
Post
#5
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
Files uploaded, logs below.
May I ask what the remnants were- just files, or was something still running? ALso, I have Proventia blocking calls to rasautou.exe- I can't determine what's calling it... I do not use any dialup... ComboFix 08-12-31.01 - Dennis 2009-01-01 8:55:04.9 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.558 [GMT -6:00] Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Dennis\Desktop\CFScript.txt AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) * Created a new restore point FILE :: c:\program files\Common Files\eduv._dl c:\windows\iwyxusicom.quar.pif c:\windows\system32\comdlg32_dll.iss c:\windows\system32\gdi32_dll.iss c:\windows\Tasks\gtrgginf.job c:\windows\Tasks\hufjijnw.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Common Files\eduv._dl c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP\WiseCustomCalla.dll c:\windows\iwyxusicom.quar.pif c:\windows\system32\comdlg32_dll.iss c:\windows\system32\gdi32_dll.iss c:\windows\system32\imagehlp_dll.iss c:\windows\system32\lz32_dll.iss c:\windows\system32\ole32_dll.iss c:\windows\Tasks\gtrgginf.job c:\windows\Tasks\hufjijnw.job . ((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 ))))))))))))))))))))))))))))))) . 2008-12-28 12:18 . 2008-12-28 12:21 <DIR> d-------- c:\documents and settings\Dennis\SecurityScans 2008-12-26 07:51 . 2008-12-26 07:51 <DIR> d-------- c:\program files\UninstallScripts 2008-12-26 07:50 . 2008-12-26 07:50 <DIR> d-------- c:\program files\ISS 2008-12-26 07:50 . 2007-01-16 14:37 197,106 --a------ c:\windows\system32\drivers\Blackcat.sys 2008-12-26 07:50 . 2006-09-13 16:59 76,849 --a------ c:\windows\system32\drivers\MakoNT.sys 2008-12-26 07:50 . 2007-01-16 14:37 47,788 --a------ c:\windows\system32\drivers\RapDrv.sys 2008-12-25 08:14 . 2008-12-25 08:14 <DIR> d-------- c:\program files\Bonjour 2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\program files\iPod 2008-12-25 08:13 . 2008-12-25 08:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-24 06:48 . 2008-12-24 06:56 162 --ah----- c:\windows\~$cahufibat.quar 2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- C:\rsit 2008-12-24 05:40 . 2008-12-24 05:40 <DIR> d-------- c:\program files\trend micro 2008-12-23 17:35 . 2008-12-23 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-23 08:28 . 2009-01-01 07:38 <DIR> d-------- C:\HiJackThis 2008-12-23 06:58 . 2000-08-31 08:00 28,672 --a------ c:\windows\NIRCMDexe.quar 2008-12-22 21:42 . 2008-12-22 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee 2008-12-22 21:42 . 2007-10-25 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll 2008-12-22 21:42 . 2008-05-22 20:50 174,952 --a------ c:\windows\system32\drivers\mfehidk.sys 2008-12-22 21:42 . 2008-05-22 20:50 72,936 --a------ c:\windows\system32\drivers\mfeavfk.sys 2008-12-22 21:42 . 2008-05-22 20:50 64,232 --a------ c:\windows\system32\drivers\mfeapfk.sys 2008-12-22 21:42 . 2008-05-22 20:50 52,104 --a------ c:\windows\system32\drivers\mfetdik.sys 2008-12-22 21:42 . 2008-05-22 20:50 33,960 --a------ c:\windows\system32\drivers\mfebopk.sys 2008-12-22 21:42 . 2007-10-25 15:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig 2008-12-22 21:41 . 2008-12-22 21:42 <DIR> d-------- c:\program files\McAfee 2008-12-22 21:41 . 2008-12-22 21:41 <DIR> d-------- c:\program files\Common Files\McAfee 2008-12-22 21:27 . 2008-12-22 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7 2008-12-22 21:26 . 2008-12-22 21:26 <DIR> d-------- c:\windows\Sun 2008-12-22 18:39 . 2008-12-22 21:28 <DIR> d-------- c:\documents and settings\Administrator.DELL4500 2008-12-22 15:39 . 2008-12-22 15:39 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-22 15:39 . 2008-12-22 15:39 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-22 08:22 . 2008-12-22 08:22 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes 2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe 2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll 2008-12-09 15:32 . 2008-12-09 15:32 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Viewpoint 2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\Dennis\Application Data\PC Suite 2008-12-06 11:20 . 2008-12-06 11:58 <DIR> d-------- c:\documents and settings\Dennis\Application Data\Nokia 2008-12-06 11:20 . 2008-12-06 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite 2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\PC Connectivity Solution 2008-12-06 11:17 . 2008-12-06 11:17 <DIR> d-------- c:\program files\DIFX 2008-12-06 11:17 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys 2008-12-06 11:16 . 2008-12-06 12:01 <DIR> d-------- c:\program files\Nokia 2008-12-06 11:16 . 2008-05-07 07:38 90,624 --a------ c:\windows\system32\nmwcdcls.dll 2008-12-06 11:15 . 2008-12-06 11:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations 2008-12-06 10:49 . 2008-12-06 10:49 <DIR> d-------- C:\Output 2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys 2008-12-01 16:48 . 2004-08-04 00:08 25,600 --a------ c:\windows\system32\dllcache\usbser.sys 2008-12-01 16:42 . 2008-12-01 16:43 <DIR> d-------- C:\RAZR . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-31 22:45 --------- d-----w c:\program files\quarantine 2008-12-25 14:13 --------- d-----w c:\program files\iTunes 2008-12-25 14:11 --------- d-----w c:\program files\QuickTime 2008-12-25 13:48 --------- d-----w c:\program files\Apple Software Update 2008-12-23 23:35 --------- d-----w c:\program files\Lavasoft 2008-12-23 23:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-12-23 03:44 --------- d-----w c:\documents and settings\All Users\Application Data\Network Associates 2008-12-23 03:38 --------- d-----w c:\program files\Common Files\Network Associates 2008-12-23 03:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-22 21:39 --------- d-----w c:\program files\Java 2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll 2008-12-07 23:18 --------- d-----w c:\program files\Netscape 2008-12-06 16:57 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-04 01:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-04 01:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-11-20 01:18 --------- d--h--w c:\program files\Zero G Registry 2008-11-20 00:50 --------- d-----w c:\program files\Aglare Mp3 to Amr Converter 2008-11-19 23:47 --------- d-----w c:\program files\AviSynth 2.5 2008-11-19 23:46 --------- d-----w c:\program files\eRightSoft 2008-11-07 20:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll 2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe 2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe 2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll 2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe 2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll 2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll 2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll 2003-12-10 22:54 83,728 ----a-w c:\documents and settings\Dennis\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot_2008-12-26_16.06.36.06 ))))))))))))))))))))))))))))))))))))))))) . - 2006-09-11 10:40:36 484,272 ----a-w c:\windows\Downloaded Program Files\isusweb.dll + 2007-08-30 16:50:50 475,816 ----a-w c:\windows\Downloaded Program Files\isusweb.dll - 2008-11-10 01:12:43 53,812 ----a-w c:\windows\system32\perfc009.dat + 2009-01-01 14:27:58 53,812 ----a-w c:\windows\system32\perfc009.dat - 2008-11-10 01:12:43 383,584 ----a-w c:\windows\system32\perfh009.dat + 2009-01-01 14:27:58 383,584 ----a-w c:\windows\system32\perfh009.dat - 2008-12-25 19:25:25 24,797 ----a-w c:\windows\system32\tablet.dat + 2009-01-01 13:46:08 24,797 ----a-w c:\windows\system32\tablet.dat + 2009-01-01 13:45:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_528.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144] "DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\windows\LOGI_MWX.EXE] "nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "vidc.uyvy"= vvlcodec.dll "vidc.yuy2"= vvlcodec.dll "msvideo3"= STVqx3tg.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk backup=c:\windows\pss\Forget Me Not.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.exe] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.exe backup=c:\windows\pss\RapidRes.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.ini] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RapidRes.ini backup=c:\windows\pss\RapidRes.iniCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk.disabled] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk.disabled backup=c:\windows\pss\Greetings Workshop Reminders.lnk.disabledStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler.exe] path=c:\documents and settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler.exe backup=c:\windows\pss\PowerReg Scheduler.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 (0x3) "GEARSecurity"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMhelpr.sys [2004-03-21 4064] R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2002-10-15 144768] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2002-10-15 545088] S0 black;black;c:\windows\system32\drivers\BlackCat.sys [2008-12-26 197106] S2 BlackICE;BlackICE;"c:\program files\ISS\Proventia Desktop\blackd.exe" [2008-12-26 2011473] S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\ISS\Proventia Desktop\vpatch.exe [2008-12-26 426333] S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\Drivers\dsreader.sys [2006-07-21 19677] S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [] S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2008-12-26 76849] S3 mgau;mgau;c:\windows\system32\DRIVERS\mgaum.sys [2008-06-28 320384] S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-12-26 47788] S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.sys [2003-03-03 131776] S3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19H2k.sys [2007-07-13 727908] S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\DRIVERS\USA19H2kp.SYS [2007-07-13 44928] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee0a10f7-4367-11dd-9c88-da6084cae3c4}] \Shell\AutoRun\command - D:\LaunchU3.exe -a *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.gtec.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\Office2K\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd FF - ProfilePath - c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.gtec.com FF - component: c:\documents and settings\Dennis\Application Data\Mozilla\Firefox\Profiles\9v0piu9s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-01 08:57:44 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-01-01 8:59:09 combofix run 1_log.txt 2008-12-23 13:19:06 ComboFix-quarantined-files.txt 2009-01-01 14:58:52 ComboFix.txt 2008-12-23 13:26:17 ComboFix2.txt 2009-01-01 13:37:22 ComboFix3.txt 2009-01-01 13:10:47 ComboFix4.txt 2008-12-26 22:07:39 ComboFix5.txt 2009-01-01 14:54:21 Pre-Run: 207,590,178,816 bytes free Post-Run: 207,573,061,632 bytes free 273 --- E O F --- 2008-12-14 17:58:59 Malwarebytes' Anti-Malware 1.31 Database version: 1589 Windows 5.1.2600 Service Pack 2 1/1/2009 9:09:23 AM mbam-log-2009-01-01 (09-09-23).txt Scan type: Quick Scan Objects scanned: 67774 Time elapsed: 4 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of random's system information tool 1.05 (written by random/random) Run by Dennis at 2009-01-01 09:38:37 Microsoft Windows XP Home Edition Service Pack 2 System drive C: has 198 GB (83%) free of 238 GB Total RAM: 1023 MB (49% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:39:07 AM, on 1/1/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ISS\Proventia Desktop\blackd.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\ISS\Proventia Desktop\RapApp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ISS\Proventia Desktop\vpatch.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\DELLMMKB.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\ISS\Proventia Desktop\blackice.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Dennis\Desktop\RSIT.exe C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe C:\HiJackThis\Dennis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gtec.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.gtec.com"); (C:\Documents and Settings\DENNIS\Application Data\Mozilla\Profiles\default\kcj96xmh.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DENNIS\Application Data\Mozilla\Profiles\default\kcj96xmh.slt\prefs.js) O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll (file missing) O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: Proventia Desktop Agent.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office2K\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office2K\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Deskshop - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Discover Deskshop\Deskshop.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397426484 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194397286859 O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://boeing.webex.com/client/T23LBA/webex/ieatgpc.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 9326 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}] scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-05-22 58688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe [2001-11-29 196608] "NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144] "Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-11-07 19968] "nwiz"=nwiz.exe /install [] "DellTouch"=C:\WINDOWS\DELLMMKB.EXE [2001-09-23 163840] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672] "NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-22 136600] "ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-05-22 111952] "McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2007-10-25 136512] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2007-08-30 205480] "ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-09-11 86960] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2002-08-06 113664] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk] C:\PROGRA~1\BRODER~1\AGCREA~1\AGRemind.exe [2001-07-03 323584] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RapidRes.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RapidRes.ini] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RapidRes.ini [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Adobe Gamma.lnk] C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2002-08-06 113664] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk.disabled] C:\Documents and Settings\Dennis\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk.disabled [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe] C:\Documents and Settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dennis^Start Menu^Programs^Startup^PowerReg Scheduler.exe] C:\Documents and Settings\Dennis\Start Menu\Programs\Startup\PowerReg Scheduler.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPodService"=3 "GEARSecurity"=2 C:\Documents and Settings\All Users\Start Menu\Programs\Startup Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe Proventia Desktop Agent.lnk - TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=323 "NoDriveAutoRun"=67108863 "NoDrives"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveAutoRun"= "NoDriveTypeAutoRun"= "NoDrives"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service" "C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019" "C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ee0a10f7-4367-11dd-9c88-da6084cae3c4}] shell\AutoRun\command - D:\LaunchU3.exe -a ======List of files/folders created in the last 1 months====== 2009-01-01 08:59:11 ----A---- C:\ComboFix.txt 2008-12-26 07:51:54 ----D---- C:\Program Files\UninstallScripts 2008-12-26 07:50:00 ----D---- C:\Program Files\ISS 2008-12-25 08:14:26 ----D---- C:\Program Files\Bonjour 2008-12-25 08:13:10 ----D---- C:\Program Files\iPod 2008-12-25 08:13:07 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-24 09:47:29 ----A---- C:\WINDOWS\NIRCMD.exe 2008-12-24 05:40:24 ----D---- C:\Program Files\trend micro 2008-12-24 05:40:23 ----D---- C:\rsit 2008-12-23 17:35:31 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-12-23 08:28:55 ----D---- C:\HiJackThis 2008-12-23 06:56:23 ----A---- C:\Boot.bak 2008-12-23 06:56:14 ----RASHD---- C:\cmdcons 2008-12-23 06:52:50 ----A---- C:\WINDOWS\zip.exe 2008-12-23 06:52:50 ----A---- C:\WINDOWS\VFIND.exe 2008-12-23 06:52:50 ----A---- C:\WINDOWS\SWSC.exe 2008-12-23 06:52:50 ----A---- C:\WINDOWS\SWREG.exe 2008-12-23 06:52:50 ----A---- C:\WINDOWS\sed.exe 2008-12-23 06:52:50 ----A---- C:\WINDOWS\grep.exe 2008-12-23 06:52:50 ----A---- C:\WINDOWS\fdsv.exe 2008-12-23 06:52:49 ----A---- C:\WINDOWS\SWXCACLS.exe 2008-12-23 06:52:22 ----D---- C:\WINDOWS\ERDNT 2008-12-23 06:52:22 ----D---- C:\Qoobox 2008-12-22 21:42:37 ----A---- C:\WINDOWS\system32\epoPGPsdk.dll.sig 2008-12-22 21:42:37 ----A---- C:\WINDOWS\system32\epoPGPsdk.dll 2008-12-22 21:42:36 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee 2008-12-22 21:41:34 ----D---- C:\Program Files\McAfee 2008-12-22 21:41:34 ----D---- C:\Program Files\Common Files\McAfee 2008-12-22 21:27:36 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7 2008-12-22 21:26:12 ----D---- C:\WINDOWS\Sun 2008-12-22 19:03:39 ----D---- C:\Program Files\Grisoft 2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\javaws.exe 2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\javaw.exe 2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\java.exe 2008-12-22 15:39:20 ----A---- C:\WINDOWS\system32\deploytk.dll 2008-12-22 15:37:37 ----D---- C:\Documents and Settings\Dennis\Application Data\Sun 2008-12-21 19:31:28 ----A---- C:\WINDOWS\system32\6b24ae7d-.txt 2008-12-14 11:58:51 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$ 2008-12-14 11:58:38 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$ 2008-12-14 11:50:59 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$ 2008-12-14 11:50:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$ 2008-12-12 11:18:16 ----A---- C:\WINDOWS\system32\dns-sd.exe 2008-12-12 11:11:46 ----A---- C:\WINDOWS\system32\dnssd.dll 2008-12-09 15:32:02 ----D---- C:\Documents and Settings\Dennis\Application Data\Viewpoint 2008-12-06 11:20:14 ----D---- C:\Documents and Settings\Dennis\Application Data\Nokia 2008-12-06 11:20:12 ----D---- C:\Documents and Settings\Dennis\Application Data\PC Suite 2008-12-06 11:20:11 ----D---- C:\Documents and Settings\All Users\Application Data\PC Suite 2008-12-06 11:17:29 ----D---- C:\Program Files\DIFX 2008-12-06 11:17:16 ----D---- C:\Program Files\PC Connectivity Solution 2008-12-06 11:16:41 ----A---- C:\WINDOWS\system32\nmwcdcls.dll 2008-12-06 11:16:40 ----D---- C:\Program Files\Nokia 2008-12-06 11:15:54 ----D---- C:\Documents and Settings\All Users\Application Data\Installations 2008-12-06 10:49:50 ----D---- C:\Output ======List of files/folders modified in the last 1 months====== 2009-01-01 09:38:29 ----D---- C:\WINDOWS\Temp 2009-01-01 09:16:04 ----D---- C:\Program Files\Mozilla Firefox 2009-01-01 09:15:01 ----A---- C:\WINDOWS\MSIOSD.INI 2009-01-01 09:13:35 ----D---- C:\WINDOWS\system32 2009-01-01 09:11:32 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-01-01 08:59:25 ----D---- C:\WINDOWS 2009-01-01 08:57:46 ----A---- C:\WINDOWS\system.ini 2009-01-01 08:56:48 ----D---- C:\WINDOWS\system32\drivers 2009-01-01 08:56:48 ----D---- C:\Program Files\Common Files 2009-01-01 08:56:47 ----D---- C:\WINDOWS\AppPatch 2009-01-01 08:55:18 ----SD---- C:\WINDOWS\Tasks 2009-01-01 08:27:58 ----D---- C:\WINDOWS\system32\wbem 2009-01-01 08:27:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-01-01 07:54:47 ----D---- C:\WINDOWS\system32\CatRoot2 2009-01-01 07:07:35 ----D---- C:\WINDOWS\Prefetch 2008-12-31 16:45:29 ----D---- C:\Program Files\quarantine 2008-12-29 16:18:18 ----D---- C:\WINDOWS\Minidump 2008-12-29 10:51:55 ----SHD---- C:\WINDOWS\Installer 2008-12-29 10:51:55 ----D---- C:\Config.Msi 2008-12-29 10:51:53 ----D---- C:\Program Files 2008-12-27 09:59:31 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-12-26 07:44:51 ----D---- C:\Anti Virus Tools 2008-12-25 13:29:00 ----RSHD---- C:\WINDOWS\system32\dllcache 2008-12-25 13:25:52 ----HD---- C:\WINDOWS\inf 2008-12-25 08:13:36 ----DC---- C:\WINDOWS\system32\DRVSTORE 2008-12-25 08:13:36 ----D---- C:\Program Files\iTunes 2008-12-25 08:11:34 ----D---- C:\Program Files\QuickTime 2008-12-25 07:48:50 ----D---- C:\Program Files\Apple Software Update 2008-12-25 06:56:35 ----HD---- C:\WINDOWS\$hf_mig$ 2008-12-24 10:46:56 ----A---- C:\WINDOWS\WORDPAD.INI 2008-12-24 09:37:38 ----A---- C:\WINDOWS\winzip32.ini 2008-12-24 09:37:38 ----A---- C:\WINDOWS\win.ini 2008-12-24 07:21:31 ----D---- C:\tools 2008-12-24 07:04:39 ----D---- C:\downloads 2008-12-23 17:35:32 ----D---- C:\Program Files\Lavasoft 2008-12-23 17:34:35 ----D---- C:\Program Files\Common Files\Wise Installation Wizard 2008-12-23 11:29:40 ----D---- C:\TEMP 2008-12-23 07:05:06 ----D---- C:\WINDOWS\system32\config 2008-12-23 06:56:23 ----RASH---- C:\boot.ini 2008-12-23 06:52:42 ----SHD---- C:\System Volume Information 2008-12-23 06:52:42 ----D---- C:\WINDOWS\system32\Restore 2008-12-22 21:44:44 ----D---- C:\Documents and Settings\All Users\Application Data\Network Associates 2008-12-22 21:38:44 ----D---- C:\Program Files\Common Files\Network Associates 2008-12-22 21:27:50 ----D---- C:\WINDOWS\Registration 2008-12-22 21:25:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2008-12-22 21:12:34 ----D---- C:\WINDOWS\system 2008-12-22 18:46:05 ----A---- C:\WINDOWS\ntbtlog.txt 2008-12-22 18:39:32 ----D---- C:\Documents and Settings 2008-12-22 15:39:03 ----D---- C:\Program Files\Java 2008-12-14 11:58:59 ----A---- C:\WINDOWS\imsins.BAK 2008-12-14 11:55:38 ----D---- C:\Program Files\Internet Explorer 2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll 2008-12-09 17:24:37 ----A---- C:\WINDOWS\system32\MRT.exe 2008-12-07 17:18:12 ----D---- C:\Program Files\Netscape 2008-12-06 11:16:34 ----D---- C:\WINDOWS\WinSxS 2008-12-06 10:57:40 ----HD---- C:\Program Files\InstallShield Installation Information 2008-12-04 05:26:15 ----A---- C:\fp.txt ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 ATMhelpr;ATMhelpr; C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 4064] R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2006-08-09 2432] R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2006-08-09 2560] R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2002-11-19 240640] R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2004-08-03 14848] R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [] R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-05-22 52104] R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632] R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2001-12-04 3360] R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2002-11-19 134426] R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2002-11-19 206464] R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2002-10-16 8552] R2 Fallback;Fallback; C:\WINDOWS\system32\DRIVERS\fallback.sys [2001-07-18 310899] R2 Fsks;Fsks; C:\WINDOWS\system32\DRIVERS\fsksnt.sys [2001-07-18 127405] R2 K56;K56; C:\WINDOWS\system32\DRIVERS\k56nt.sys [2001-07-18 426783] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-08-03 11868] R2 SoftFax;SoftFax; C:\WINDOWS\system32\DRIVERS\faxnt.sys [2001-07-18 217019] R2 SpeakerPhone;SpeakerPhone; C:\WINDOWS\system32\DRIVERS\spkpnt.sys [2001-07-18 80449] R2 Tones;Tones; C:\WINDOWS\system32\DRIVERS\tonesnt.sys [2001-07-18 56607] R2 V124;V124; C:\WINDOWS\system32\DRIVERS\v124nt.sys [2001-07-18 534125] R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224] R3 basic2;basic2; C:\WINDOWS\system32\DRIVERS\basic2.sys [2001-07-18 77426] R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2006-06-07 329901] R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2006-06-07 855018] R3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2002-11-19 25674] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600] R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502] R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884] R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798] R3 MakoNT;MakoNT; C:\WINDOWS\system32\drivers\MakoNT.sys [2006-09-13 76849] R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-05-22 64232] R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-05-22 72936] R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-05-22 33960] R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-05-22 174952] R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128] R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160] R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2008-09-17 6132576] R3 rap;rap; C:\WINDOWS\System32\drivers\RapDrv.sys [2007-01-16 47788] R3 Rksample;Rksample; C:\WINDOWS\system32\DRIVERS\rksample.sys [2001-07-18 67654] R3 tbcspud;Santa Cruz Driver; C:\WINDOWS\system32\drivers\tbcspud.sys [2002-04-03 144768] R3 tbcwdm;Santa Cruz WDM Driver; C:\WINDOWS\system32\drivers\tbcwdm.sys [2002-04-03 545088] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624] R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600] R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2001-07-25 584336] R3 WmaCDriverV32;WmaCDriverV32; C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2006-12-25 513152] R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2002-06-20 10144] R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2002-06-20 39776] R4 black;black; C:\WINDOWS\System32\drivers\BlackCat.sys [2007-01-16 197106] S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800] S3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2006-06-07 30459] S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2006-06-07 149028] S3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2006-06-07 47811] S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2006-06-07 67384] S3 catchme;catchme; \??\C:\DOCUME~1\Dennis\LOCALS~1\Temp\catchme.sys [] S3 dsreader;MaxDrive Driver (dsreader.sys); C:\WINDOWS\System32\Drivers\dsreader.sys [2001-01-02 19677] S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576] S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536] S3 hsf_msft;hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879] S3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032] S3 mgau;mgau; C:\WINDOWS\System32\DRIVERS\mgaum.sys [2001-08-17 320384] S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2002-11-19 30406] S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824] S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632] S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992] S3 STVqx3;Intel Play QX3 Microscope; C:\WINDOWS\system32\drivers\STVqx3.sys [2001-04-12 131776] S3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2006-09-18 16640] S3 USA19H;USA19H; C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 727908] S3 USA19H2KP;Keyspan USB Serial Port Driver; C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 44928] S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000] S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104] S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2004-08-04 25600] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496] S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2002-06-20 20128] S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2002-06-20 5728] S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] S4 RxFilter;RxFilter; C:\WINDOWS\system32\DRIVERS\RxFilter.sys [2006-12-13 50688] S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-18 12032] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664] R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888] R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2006-06-07 266295] R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-22 152984] R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2007-10-25 103744] R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe [2008-05-22 144704] R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [2008-05-22 54608] R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120] R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908] R2 TabletService;TabletService; C:\WINDOWS\system32\Tablet.exe [2003-12-04 634880] R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872] S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-03-12 310008] S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-03-12 166648] S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-01-21 72704] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768] S3 getPlus® Helper;getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-03-12 887544] S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-08-07 575488] S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-01-23 73728] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136] -----------------EOF----------------- This post has been edited by dellphinus: Jan 1 2009, 10:41 AM |
|
|
|
|
Jan 1 2009, 11:05 AM
Post
#6
|
|
|
Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello dellphinus.
Looks like it was just some files. The ".job" entries may have tried to start something, but the files associated with that were probably removed. Most likely was nothing active. Update Windows Installation Your Microsoft Windows installation is out of date. Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer. Please click here to check for and install updates to Windows, and Microsoft applications. If you encounter any problems during the installation, please feel free to ask for help. The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install. Reboot and repeat the update process until there are no more updates to install. Run Scan with Kaspersky Please do a scan with Kaspersky Online Scanner. This scan is for Internet Explorer Only. If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
This scanner will only scan. It does not remove any malware it finds. With Regards, The Panda -------------------- |
|
|
|
|
Jan 1 2009, 09:13 PM
Post
#7
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
Ran kaspersky- Scan screen showed 1 threat, 1 file, but the scan report was blank, and saving it resulted in no file being generated.
Updated and ran McAfee full scan- nothing identified. This post has been edited by dellphinus: Jan 2 2009, 07:47 AM |
|
|
|
|
Jan 2 2009, 08:19 AM
Post
#8
|
|
|
Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello dellphinus.
Kaspersky should have atleast detected some of the files in ComboFix's quarentine. If this comptuer has some spare time, then consider trying to run F-Secure. If you don't want to that's fine. F-Secure Online Scan Please run F-Secure Online Scanner. This scan is for Internet Explorer only.
If not, just post back a new HijackThis log. Were you able to do updates? With Regards, The Panda -------------------- |
|
|
|
|
Jan 2 2009, 09:10 AM
Post
#9
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
I did some of the updates- there were no critical updates listed, and I've been holding off on doing the SP3 update, based on some negative press- I have two more updates to do when this McAfee scan finishes.
After doing the updates, I'l run the F-Secure. Question- I'm a little nervous about having the computer online without the firewall running- is OK to leave it active while doing the F-Secure? ALso, while reading the instructions for F-Secure, I noticed it only runs on Explorer- and I completely missed your comments earlier about Kaspersky only being for Explorer- I ran it under FF. I'll rerun with Explorer 7. [edit]- McAfee just hit a bunch of Vundo rgistry keys, and all the QooBox files- it's still running, though. Also, a bunch of tool-nir-cmds in the restore points. This post has been edited by dellphinus: Jan 2 2009, 09:18 AM |
|
|
|
|
Jan 2 2009, 09:41 AM
Post
#10
|
|
|
Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello.
I don't think the Firewall will be a problem. Nircmd.exe is a tool used by ComboFix. It can do things like hide windows, so McAfee suspects it to be dangerous. ComboFix uses it to open the popup windows and some other functions. With Regards, The panda -------------------- |
|
|
|
|
Jan 2 2009, 11:45 PM
Post
#11
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
OK, ran the Kaspersky again, this time with Explorer, and this time it generated the report- the hit was in the Qoobox quarantine. The F-Secure found a couple cookies.
After McAfee finished, I disabled System Restore and let McAfee clean/delete everything it found- 39 hits, all backed up registry and restore points (the Nircmds it found were all tool-Nircmds, named A0000xxxx.com, where xxxx is a rnd num). Kaspersky and F-Secure logs below. Kaspersky Report: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, January 2, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, January 02, 2009 11:07:11 Records in database: 1547639 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ R:\ Scan statistics: Files scanned: 103822 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 02:28:56 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\Documents and Settings\Dennis\Local Settings\Temp\ddcBTlmK.dll.vir Infected: Trojan.Win32.Monder.agej 1 The selected area was scanned. F-Secure Report: Scanning Report Friday, January 02, 2009 15:56:16 - 22:32:25 Computer name: DELL4500 Scanning type: Scan system for malware, rootkits Target: C:\ Result: 2 malware found TrackingCookie.Adbrite (spyware) * System TrackingCookie.Webtrends (spyware) * System Statistics Scanned: * Files: 47060 * System: 5494 * Not scanned: 6 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * None: 2 * Submitted: 0 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Options Scanning engines: * F-Secure USS: 2.40.0 * F-Secure Hydra: 2.8.8110, 2009-01-02 * F-Secure AVP: 7.0.171, 2009-01-02 * F-Secure Pegasus: 1.20.0, 2008-11-17 * F-Secure Blacklight: 0.0.0 Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use Advanced heuristics This post has been edited by dellphinus: Jan 3 2009, 06:50 AM |
|
|
|
|
Jan 3 2009, 08:23 AM
Post
#12
|
|
|
Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello dellphinus.
Looks good  . If it's the same on your side, then we can wrap up.Uninstall ComboFix Remove Combofix now that we're done with it. If this tool has helped you, please consider making a donation to its author. 
Preventing Malware Infection in the Future Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources. Do you have any further questions or concerns? With Regards, The Panda -------------------- |
|
|
|
|
Jan 3 2009, 10:42 AM
Post
#13
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
I think I'm good- only thing left is finding out what is calling Rasautou.exe- I can't catch it in process explorer to see what tree it's in- got any tools or tips that might help there? It's not a biggie, the firewall is blocking it from exectuting, I'd just like to know what the heck is calling it.
also, I'm assuming I can delete all the quarantined files now? UPDATE- just did a reboot- and Process explorer redlined WMIPRVSE.exe. Googled it, and your data base has it listed as malware. Had AntiMalware scan it, and it came up clean. Searched the C drive for it and three copies came up, C:\Windows\ $NTServicePackInstall$, ServicePackFiles\i386, system32\wbem. Update2- wmiprvse.exe is good... Update 3- Panda, maybe I'm overly paranoid now, but one more item- when I reboot, sometimes (about half the time), my McAfee tray icon displays the slashed circle (disabled) briefly after it starts. I have access protection turned on for it. The other times, it starts, and dispays normally, no slash. This post has been edited by dellphinus: Jan 3 2009, 11:59 AM |
|
|
|
|
Jan 3 2009, 12:08 PM
Post
#14
|
|
|
Group: HJT Team Posts: 6,883 Joined: 10-March 08 Member No.: 195,473 |
Hello dellphinus.
Rasautou.exe is the "Microsoft Remote Access Dialler". It is used by legit programs, but malware can hijack it. QUOTE I'm assuming I can delete all the quarantined files now? Yes.The startup database is not a list of items you see in Task Manager. If that filename was listed in a startup entry, it would be bad. Otherwise, it's normal .QUOTE when I reboot, sometimes (about half the time), my McAfee tray icon displays the slashed circle (disabled) briefly after it starts. Does it go to the enabled sign after a moment? Might be taking sometime to start.--- Save Uninstall List with HijackThis Let's see if we can identify programs that need remote access.
The Panda -------------------- |
|
|
|
|
Jan 3 2009, 12:18 PM
Post
#15
|
|
|
Member Group: Members Posts: 16 Joined: 23-December 08 Member No.: 273,285 |
Yes, the indication is only there for about a second.
.txt file attached
Attached File(s)
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th November 2009 - 08:53 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.