Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Security Toolbar 7.1 Trojan


  • Please log in to reply
6 replies to this topic

#1 jvmoore13

jvmoore13

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 17 October 2007 - 03:50 PM

I have been infected with the Secrity toolbar 7.1 trojan. How do I get rid of it? Attached is a copy of my HIJack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:25 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\tsitra1000106.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\SmFtZXM\command.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aractivate.adobe.com/eden/EdenUI.asp?Activate=0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\otvfxmtf.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\avqerbcb.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Service Manager.norun
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165857209593
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4DC587C-1BFF-402D-A214-2363AEC6A2AB}: NameServer = 208.218.130.4,208.218.130.5
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: Upsemimg - {47747446-89CF-4C1F-94E3-ADCC6FE916E4} - C:\WINDOWS\system32\crtattxt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFtZXM\command.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\wuoqymifse.html

--
End of file - 9021 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 17 October 2007 - 04:14 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jvmoore13 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


With you having Service Pack 2 installed i'm presuming you're using the Windows Firewall.
You may be behind a hardware firewall(router),but it would'nt hurt to install a third party software firewall to henhance protection.
A word of warning regarding the Windows Firewall in Service Pack 2,it only filters INCOMING traffic.
That means if malware happens to compromise your PC,it will be able to SEND OUT out your credit card data,and any other personal information.
I suggest you install a more robust third party firewall that filters both INCOMING and OUTGOING traffic.

Download\install one of the following freeware firewalls from below:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

Edited by RichieUK, 17 October 2007 - 04:14 PM.

Posted Image
Posted Image

#3 jvmoore13

jvmoore13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 18 October 2007 - 10:36 AM

OK I have installed and run AVG anti viris, installed a firewall , run combo fix and rerun hijack this. Below are the combo fix log and the hijack log:

ComboFix 07-10-17.8 - jimmoore 2007-10-17 17:57:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT -7:00]
Running from: C:\Documents and Settings\jimmoore\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ComPlus Applications\povefa4444.dll
C:\Program Files\ComPlus Applications\povefa83122.dll
C:\Program Files\Hammer.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\Temporary
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.5\wbuninst.exe
C:\Program Files\WinAble
C:\Program Files\Windows Media Player\wuoqymifse.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\SmFtZXM\asappsrv.dll
C:\WINDOWS\SmFtZXM\command.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\ybwxfia.dll
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-09-18 to 2007-10-18 )))))))))))))))))))))))))))))))
.

2007-10-17 17:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-17 17:40 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-10-17 17:39 <DIR> d-------- C:\Program Files\Sygate
2007-10-17 17:39 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-10-17 17:39 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-10-17 15:09 <DIR> d-------- C:\Documents and Settings\jimmoore\Application Data\AVG7
2007-10-17 15:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-17 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-17 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-17 11:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-17 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-17 10:27 339,968 --a------ C:\WINDOWS\system32\otvfxmtf.dll
2007-10-17 10:26 389,184 --a------ C:\WINDOWS\system32\sqfyimwk.exe
2007-10-17 10:23 416,767 --ahs---- C:\WINDOWS\system32\tvvwa.bak2
2007-10-16 19:09 <DIR> d-------- C:\Program Files\Microsoft Reader
2007-10-16 19:09 57,436 --a------ C:\WINDOWS\DASShp.dll
2007-10-16 18:39 6,465 --ahs---- C:\WINDOWS\system32\tvvwa.bak1
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\zip1
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\uie1
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\pad2
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\os2
2007-10-16 18:33 <DIR> d--hs---- C:\WINDOWS\SmFtZXM
2007-10-16 18:33 <DIR> d-------- C:\Temp
2007-10-16 18:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\NetMon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-18 00:40 --------- d-----w C:\Documents and Settings\jimmoore\Application Data\uTorrent
2007-10-18 00:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-09 03:12 --------- d-----w C:\Program Files\HeadCase SmartAce
2007-10-09 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\SmFtZXM\mAIQtrg.vbs
2007-06-26 12:57:10 56 --sh--r C:\WINDOWS\system32\2451EA59CC.sys
2007-06-26 12:57:10 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB35926-EA3A-46F4-0A8D-44FAD4CE3180}]
C:\Program Files\Windows Media Player\sahuxolu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-17 10:27 339968 --a------ C:\WINDOWS\system32\otvfxmtf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB0AD594-8D81-49EB-9D7A-F6DAF7F24087}]
C:\WINDOWS\system32\awvvt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\otvfxmtf.dll [2007-10-17 10:27 339968]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 19:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 19:50]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 14:08]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 09:44]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-17 15:05]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 07:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.norun [2006-06-07 18:48:13]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-05-27 18:14:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=99 (0x63)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Upsemimg"= {47747446-89CF-4C1F-94E3-ADCC6FE916E4} - C:\WINDOWS\system32\crtattxt.dll [2004-08-04 04:00 1069056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdbcd]
khfdbcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\otvfxmtf]
otvfxmtf.dll 2007-10-17 10:27 339968 C:\WINDOWS\system32\otvfxmtf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanSnap Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
backup=C:\WINDOWS\pss\ScanSnap Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardMinder]
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pdfquickview]
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PfuSsSct.exe]
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMDrive]
"C:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
S0 fvdscsi;fvdscsi;C:\WINDOWS\system32\DRIVERS\fvdscsi.sys
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB

.
Contents of the 'Scheduled Tasks' folder
"2007-10-14 00:32:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-03-30 14:22:01 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
"2007-09-30 23:06:52 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D64K1Q91-Bob).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 18:07:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-17 18:10:11 - machine was rebooted
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:56 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\abc.bat
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aractivate.adobe.com/eden/EdenUI.asp?Activate=0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {4BB35926-EA3A-46F4-0A8D-44FAD4CE3180} - C:\Program Files\Windows Media Player\sahuxolu.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\otvfxmtf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {DB0AD594-8D81-49EB-9D7A-F6DAF7F24087} - C:\WINDOWS\system32\awvvt.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\otvfxmtf.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Service Manager.norun
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165857209593
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4DC587C-1BFF-402D-A214-2363AEC6A2AB}: NameServer = 208.218.130.4,208.218.130.5
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: khfdbcd - khfdbcd.dll (file missing)
O20 - Winlogon Notify: otvfxmtf - C:\WINDOWS\SYSTEM32\otvfxmtf.dll
O21 - SSODL: Upsemimg - {47747446-89CF-4C1F-94E3-ADCC6FE916E4} - C:\WINDOWS\system32\crtattxt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9748 bytes

Edited by jvmoore13, 18 October 2007 - 10:39 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 18 October 2007 - 04:44 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\otvfxmtf.dll
C:\WINDOWS\system32\sqfyimwk.exe
C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.bak1

Folder::
C:\WINDOWS\SmFtZXM

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BB35926-EA3A-46F4-0A8D-44FAD4CE3180}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB0AD594-8D81-49EB-9D7A-F6DAF7F24087}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Upsemimg"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdbcd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\otvfxmtf]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 jvmoore13

jvmoore13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 19 October 2007 - 07:49 PM

OK I have run the Combofix script.

Below is a new combofix log and a hijack this script. Although the security tollbar item is now gone, something is still trying to hijack my computer as the firewall is blocking several outgoing items and something is causing a svchost.exe process to run and use 99% of my CPU. I had to manually stop it to get IE to open up.

ComboFix 07-10-17.8 - jimmoore 2007-10-19 8:15:30.3 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\jimmoore\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jimmoore\Desktop\CFScript
* Created a new restore point

FILE::
C:\WINDOWS\system32\otvfxmtf.dll
C:\WINDOWS\system32\sqfyimwk.exe
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak2
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-17 17:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-17 17:40 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-10-17 17:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-10-17 17:39 <DIR> d-------- C:\Program Files\Sygate
2007-10-17 17:39 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-10-17 17:39 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-10-17 15:09 <DIR> d-------- C:\Documents and Settings\jimmoore\Application Data\AVG7
2007-10-17 15:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-17 15:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-17 15:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-17 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-17 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-17 11:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-17 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-16 19:09 <DIR> d-------- C:\Program Files\Microsoft Reader
2007-10-16 19:09 57,436 --a------ C:\WINDOWS\DASShp.dll
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\zip1
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\uie1
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\pad2
2007-10-16 18:33 <DIR> d-------- C:\WINDOWS\system32\os2
2007-10-16 18:33 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 00:52 --------- d-----w C:\Documents and Settings\jimmoore\Application Data\uTorrent
2007-10-18 00:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-17 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-09 03:12 --------- d-----w C:\Program Files\HeadCase SmartAce
2007-10-09 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-06-26 12:57:10 56 --sh--r C:\WINDOWS\system32\2451EA59CC.sys
2007-06-26 12:57:10 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_18.09.16.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-17 22:05:50 775,680 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2007-10-18 16:02:59 821,728 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
- 2007-10-17 22:06:06 19,392 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2007-10-18 16:03:00 19,904 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2007-10-18 01:08:10 12,952 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2007-10-19 15:14:07 12,952 ----a-w C:\WINDOWS\system32\tablet.dat
- 2006-07-05 10:55:01 18,373 ----a-w C:\WINDOWS\system32\zapordb\uridalan.dll
+ 2006-07-05 10:55:01 28,193 ----a-w C:\WINDOWS\system32\zapordb\uridalan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 19:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 19:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 19:50]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 14:08]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 09:44]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-18 09:03]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 07:48]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.norun [2006-06-07 18:48:13]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-05-27 18:14:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=99 (0x63)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanSnap Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
backup=C:\WINDOWS\pss\ScanSnap Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardMinder]
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pdfquickview]
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PfuSsSct.exe]
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAMDrive]
"C:\Program Files\FarStone\VDPPro\VHD\RDTask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]


R1 GhPciScan;GhostPciScanner;\??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
S0 fvdscsi;fvdscsi;C:\WINDOWS\system32\DRIVERS\fvdscsi.sys
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB

.
Contents of the 'Scheduled Tasks' folder
"2007-10-14 00:32:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-03-30 14:22:01 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
"2007-09-30 23:06:52 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D64K1Q91-Bob).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 08:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-19 8:36:12
C:\ComboFix2.txt ... 2007-10-18 18:33
C:\ComboFix3.txt ... 2007-10-17 18:10
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:58 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aractivate.adobe.com/eden/EdenUI.asp?Activate=0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Service Manager.norun
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165857209593
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4DC587C-1BFF-402D-A214-2363AEC6A2AB}: NameServer = 208.218.130.4,208.218.130.5
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8967 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 20 October 2007 - 04:02 AM

Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Find and delete this folder:
C:\WINDOWS\system32\zapordb

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Run 'ESET Online Scanner' using Internet Explorer:
http://www.eset.com/onlinescan/
Place a check in the box 'YES,I accept the Terms of Use' after reading.
Then click 'Start'.
Allow the activex control to install.
Then click 'Start' in the 'ESET Online Scanner' window.
Place a check in the box 'Remove found threats'.
Leave the box 'Scan unwanted applications' blank.
Then press 'Scan'.
The scan will take up some time so please be patient.
Once the scan has finished,post the entire contents of the logfile:
C:\Program Files\EsetOnlineScanner\log.txt

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 jvmoore13

jvmoore13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 27 October 2007 - 09:10 AM

Here are the logs:

Super Anti Spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/21/2007 at 06:41 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:50:02

Memory items scanned : 411
Memory threats detected : 0
Registry items scanned : 6880
Registry threats detected : 2
File items scanned : 89526
File threats detected : 101

Adware.Tracking Cookie
C:\Documents and Settings\jimmoore\Cookies\jimmoore@clickaider[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@realmedia[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ad.yieldmanager[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.xctrk[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@atdmt[3].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@fastclick[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@zedo[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.googleadservices[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@login.tracking101[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.19searchfeed[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@findwhat[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@clicksor[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@buycom.122.2o7[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@adbrite[3].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@adsby.zwoops[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@doubleclick[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@click.offermgmt[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.adbrite[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@imrworldwide[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@3.adbrite[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@adsrevenue[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@usenext[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@list[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@media.adrevolver[3].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@yadro[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.incentaclick[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.cnn[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@screensavers[4].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@statcounter[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@atwola[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ad1.clickhype[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@adrevolver[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@toplist[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@interclick[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@eyewonder[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@redirect.clickshield[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@counter.search[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@media.adrevolver[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.expedia[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@mediatraffic[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.screensavers[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@stat.errclean[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@19searchfeed[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@3.adbrite[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ad.uk.tangozebra[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ad1.clickhype[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@adbrite[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.addynamix[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.pointroll[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads.revsci[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@ads4.blastro[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@advertising[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@atdmt[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@atlas.entrepreneur[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@azjmp[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@azjmp[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@azjmp[3].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@azjmp[4].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@bridge.admarketplace[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@cbs.112.2o7[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@clickarrows[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@clicksor[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@enhance[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@findwhat[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@i.screensavers[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@i.screensavers[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@lynxtrack[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@mpire.112.2o7[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@perf.overture[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@precisionclick[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@publishers.clickbooth[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@revenuesense[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@revsci[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@revsci[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@screensavers[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@screensavers[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@sexbuddies[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@specificclick[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@statcounter[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@statsgod[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@tribalfusion[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@weborama[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.3dstats[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.burstbeacon[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.entrepreneur[1].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www.entrepreneur[2].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www2.mystats[3].txt
C:\Documents and Settings\jimmoore\Cookies\jimmoore@www5.addfreestats[2].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
C:\Documents and Settings\LocalService\Cookies\system@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\LocalService\Cookies\system@thunderbolt.adjuggler[2].txt
C:\Documents and Settings\NetworkService\Cookies\jimmoore@ads.k8l[1].txt
C:\Documents and Settings\NetworkService\Cookies\jimmoore@ads2.k8l[1].txt

Adware.Web Buying
HKU\.DEFAULT\Software\WebBuying
HKU\S-1-5-18\Software\WebBuying

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.5\WBUNINST.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000016.EXE

Adware.k8l
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS MEDIA PLAYER\WUOQYMIFSE.HTML.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SMFTZXM\MAIQTRG.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000008.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0002172.VBS
ESET Online scanner
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2608 (20071023)
# vers_arch_module=1.058 (20070906)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=3489d51bc10c124cb2f47269ce67ab62
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2007-10-23 06:05:49
# local_time=2007-10-22 11:05:49 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=461102
# found=8
# scan_time=3871
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\jimmoore\Favorites\Online Security Guide.lnk Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\catchme2007-10-18_183134.59.zip Win32/Adware.SecToolbar application (deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\catchme2007-10-18_183134.59.zip ZIP otvfxmtf.dll Win32/Adware.SecToolbar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Program Files\Hammer.dll.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\otvfxmtf.dll.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\WINDOWS\system32\sqfyimwk.exe.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000


Hijack Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:12 AM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\abc.bat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aractivate.adobe.com/eden/EdenUI.asp?Activate=0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Service Manager.norun
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165857209593
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9149 bytes

It appears that something is still trying to run as the firewall has blocked a lot of outgoing traffic from several system files including :

ntoskrnl.exe
ndisuio.sys
svchost.exe
alg.exe
explorer.exe

Thanks again for your help

James




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users