Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo & Metajuan (new Mutation?)


  • Please log in to reply
18 replies to this topic

#1 zebraman

zebraman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 10 December 2007 - 11:08 AM

NAV (Version 14.2.0.29) detects Vundo and Metajuan about once every-other-day. It then claims to have resolved all the issues and needs a reboot. After a full scan, both appear to be gone, but then about 48 hours later, they are both back.

I ran VundoFix (both in and out of Safe mode) and it would claim to resolve it, but again after ~48 hours it would come back. I also tried VirtumundoBeGone, but it never would detect Vundo (claimed machine was clean).

I ran HJT, found a few registry entries that were pretty clearly virus/vundo related and removed them by hand. Also saw there was a "FixVundo" Service that had been installed. Deleted the file it was running (undetected by NAV and VundoFix). I also removed the Service (Disabled, then deleted registry entry). Everything seemed peachy for another 48 hours, but then it came back.

NAV has been running the whole time (with auto-protect on -- nearly always). It seems to only detect the files installed (downloaded?) by the virus, but not the actual virus. :thumbsup:

Last note: I've read Vundo can infect Java. I _do_ have multiple jre's/jdk's installed on this machine, including JRE1.4. While I've scanned them multiple time, NAV finds nothing, and I kinda-sorta need 1.4 for a legacy project.

I hoped to resolve this without bothering anyone, but after spending numerous hours, I'm pretty stuck. Any help would be appreciated as I'd really hate to reinstall this box.

Thanks in advance!
-Zebraman

hijackthis - after NAV fixes - before reboot
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:04:58 AM, on 12/10/2007Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16546)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exeC:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeC:\Windows\sttray.exeC:\Program Files\TortoiseSVN\bin\TSVNCache.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Lexmark 4300 Series\lxcemon.exeC:\Program Files\Lexmark 4300 Series\ezprint.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\eFax Messenger 4.3\J2GDllCmd.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Windows\ehome\ehtray.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exeC:\Program Files\Palm\Hotsync.exeC:\Program Files\MagicDisc\MagicDisc.exeC:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exeC:\Windows\System32\mobsync.exeC:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exeC:\Windows\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\mark\Desktop\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.contractdesk.com/"]http://www.contractdesk.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startupO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exeO4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /RO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-425920681-3999741084-2353616871-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exeO4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - [url="https://www23.wirelesssync.vzw.com/en/SyncInstall.cab"]https://www23.wirelesssync.vzw.com/en/SyncInstall.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: Domain = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: NameServer = 192.168.11.5,192.168.1.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = micropact.comO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exeO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: lxce_device -   - C:\Windows\system32\lxcecoms.exeO23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exeO23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exeO23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exeO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe--End of file - 14404 bytes

NAV Log
Scan Stats:  Scan Time: 5767  Scan Options:   Scan Targets: C:, E:  Counts:   Total items scanned: 2711388   - Files & Directories: 2705310   - Registry Entries: 307   - Processes & Start-up Items: 5626   - Network & Browser Items: 140   - Other: 5   Total security risks detected: 2   Total items resolved: 2   Total items that require attention: 0Resolved Threats:Trojan.Vundo Virus ID: 28544 Type: Anomaly Risk: High (High Stealth, High Removal, High Performance, High Privacy)   Categories: Virus State: Restart Required ----------- 128 Registry EntriesHKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Restart RequiredHKEY_CLASSES_ROOT\MSEvents.MSEvents - Restart RequiredHKEY_CLASSES_ROOT\MSEvents.MSEvents.1 - Restart RequiredHKEY_CLASSES_ROOT\IEpl.IEpl - Restart RequiredHKEY_CLASSES_ROOT\IEpl.IEPl.1 - Restart RequiredHKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater - Restart RequiredHKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1 - Restart RequiredHKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib - Restart RequiredHKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1 - Restart RequiredHKEY_CLASSES_ROOT\RawExecAction.RawExecAction - Restart RequiredHKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1 - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks->{BAD263C7-B253-43D9-A1F7-25A1010E24E2} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->SysUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run->WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\SysUpd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\SysUpd - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Restart RequiredHKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\DomainService - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws - Restart RequiredHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\aldd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\aldd - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\aldd - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\aldd - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\aldd - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\rdfa - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\rdfa - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\rdfa - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\rdfa - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\rdfa - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\CAC - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\CAC - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\CAC - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\CAC - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\CAC - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1000\Software\Microsoft\affltid - Restart RequiredHKEY_USERS\S-1-5-21-425920681-3999741084-2353616871-1001\Software\Microsoft\affltid - Restart RequiredHKEY_USERS\S-1-5-19\Software\Microsoft\affltid - Restart RequiredHKEY_USERS\S-1-5-20\Software\Microsoft\affltid - Restart RequiredHKEY_USERS\.DEFAULT\Software\Microsoft\affltid - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\FCOVM - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\RemoveRP - Restart RequiredHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->SFCDisable:0 - Restart RequiredHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa->Authentication Packages:... - Restart Required2 Filesc:\windows\system32\lekcgroy.exe - Deletedc:\Windows\System32\nxhghofq.exe - Deleted8 ProcessesC:\Users\mark\AppData\Local\virtualstore\program files\internet explorer\iexplore.exe - No Action RequiredC:\Program Files\Internet Explorer\iexplore.exe - No Action RequiredC:\Users\mark\AppData\Local\virtualstore\windows\system32\rundll32.exe - No Action RequiredC:\Windows\system32\rundll32.exe - No Action RequiredC:\Users\mark\AppData\Local\virtualstore\program files\internet explorer\iexplore.exe - No Action RequiredC:\Program Files\Internet Explorer\iexplore.exe - No Action RequiredC:\Users\mark\AppData\Local\virtualstore\windows\system32\rundll32.exe - No Action RequiredC:\Windows\system32\rundll32.exe - No Action Required1 ServiceDomainService - No Action Required1 Browser CacheTrojan.Metajuan Virus ID: 4836 Type: Anomaly Risk: High (High Stealth, High Removal, High Performance, High Privacy)   Categories: Virus State: Fully Resolved ----------- 1 Filec:\windows\system32\lyxfdwpr.dll - Deleted1 Browser CacheUnresolved Threats:


BC AdBot (Login to Remove)

 


#2 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 10 December 2007 - 11:18 AM

HJT after reboot
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:16:18 AM, on 12/10/2007Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16546)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\TortoiseSVN\bin\TSVNCache.exeC:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exeC:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeC:\Windows\sttray.exeC:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Lexmark 4300 Series\lxcemon.exeC:\Program Files\Lexmark 4300 Series\ezprint.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\eFax Messenger 4.3\J2GDllCmd.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exeC:\Program Files\Palm\Hotsync.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\MagicDisc\MagicDisc.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exeC:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\mark\Desktop\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.contractdesk.com/"]http://www.contractdesk.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startupO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exeO4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /RO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-425920681-3999741084-2353616871-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exeO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exeO4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - [url="https://www23.wirelesssync.vzw.com/en/SyncInstall.cab"]https://www23.wirelesssync.vzw.com/en/SyncInstall.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: Domain = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: NameServer = 192.168.11.5,192.168.1.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = micropact.comO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exeO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: lxce_device -   - C:\Windows\system32\lxcecoms.exeO23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exeO23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exeO23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exeO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe--End of file - 14359 bytes

Edited by zebraman, 10 December 2007 - 11:18 AM.


#3 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:44 PM

Posted 26 December 2007 - 11:56 AM

Hello zebraman and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#4 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 January 2008 - 11:47 AM

Hi Johannes,

Sorry I didn't reply right away. I think (somehow) I finally fixed it. Using hjt over and over, I think I finally killed whatever kept reinstalling the virus. I'm sure there were plenty of people worse off than myself (at least in urgency). It took me several days to finally get it fixed (I hope).

Anyhow, thanks for offering such a resource, I'm sure others will appreciate the assistance!

Good luck, and happy hunting.

#5 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:44 PM

Posted 09 January 2008 - 11:58 AM

hey zebraman,

just fixing with hijackthis does not remove your infections. There is a fair bit more to it. If you are still not entirely sure, please post back with a fresh HijackThis log and the tools you have used so far to "seem" to have solved your problem. If its all gone, we will not have much to do anyway :thumbsup: .

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#6 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 January 2008 - 12:31 PM

Ok, I've pasted my latest HJT. Sorry for all the extra running processes, but I didn't want to close out of everything before sending.

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:24:51 PM, on 1/9/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16575)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exeC:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeC:\Windows\sttray.exeC:\Program Files\TortoiseSVN\bin\TSVNCache.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Lexmark 4300 Series\lxcemon.exeC:\Program Files\Lexmark 4300 Series\ezprint.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\eFax Messenger 4.3\J2GDllCmd.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Windows\ehome\ehtray.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exeC:\Program Files\Palm\Hotsync.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\MagicDisc\MagicDisc.exeC:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exeC:\Windows\system32\wuauclt.exeC:\Windows\Explorer.EXEC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Pidgin\pidgin.exeC:\Program Files\PuTTY\putty.exeC:\Program Files\PuTTY\putty.exeC:\Program Files\PuTTY\putty.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEC:\Program Files\JasperSoft\iReport-2.0.3\iReport.exeC:\Program Files\Java\jre1.6.0_03\bin\javaw.exeC:\Users\mark\Desktop\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.contractdesk.com/"]http://www.contractdesk.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startupO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exeO4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /RO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-425920681-3999741084-2353616871-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exeO4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exeO4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - [url="https://www23.wirelesssync.vzw.com/en/SyncInstall.cab"]https://www23.wirelesssync.vzw.com/en/SyncInstall.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: Domain = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: NameServer = 192.168.11.5,192.168.1.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = micropact.comO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exeO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exeO23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exeO23 - Service: lxce_device -   - C:\Windows\system32\lxcecoms.exeO23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exeO23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exeO23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exeO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe--End of file - 15140 bytes

I did a lot of things (and I'm not sure I can remember everything) in attempt to remove the vundo-like virus. I am not 100% sure it is removed, but I no longer have the symptoms and (finally) NAV no longer detects anything -- So either the virus has mutated and is no longer detected, or I have somehow hampered it.

I removed previous versions of Java as I was afraid this might be how the virus was attacking. I then went through HJT and removed (both the entries, and in some cases the physical files) by hand multiple times. I don't have too much of an accurate history, as I was on a deadline and this was sucking down Waaaay too much time. I do have the old HJT logs (two were posted previously).

Thanks for your time.

#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:44 PM

Posted 11 January 2008 - 03:04 PM

Hey zebraman,

I removed previous versions of Java as I was afraid this might be how the virus was attacking

That was a good thing to do, as a lot of the Vundo variants and other spyware / malware come via these exploitable versions.

The old logs wont be of much help, as your system will look entirely different today (thus the ask for a new log :thumbsup:).

Step #1

You seem to have disabled Norton from startup. This indicates why you are saying Norton does not detect anything. It will only "bark" at you, if you have the guard enabled.

Please enable your Norton Software again. Thanks.

Step #2

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close ALL applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #3

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Step #4

Please post back with the main.txt and the extra.txt from the DSS scan and the C:\Program Files\EsetOnlineScanner\log.txt, from the NOD32 onlinescan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 11 January 2008 - 05:28 PM

Hi YourHighness:

I have not yet done all your steps, but I'm very curious to your first comment:

Step #1

You seem to have disabled Norton from startup. This indicates why you are saying Norton does not detect anything. It will only "bark" at you, if you have the guard enabled.

Please enable your Norton Software again. Thanks.


The only thing I disabled was "Run Quick Scan whenever protection updates have been received". What gives you the impression NAV is not running? Ever since the "infection" I run a full daily-scan (3am). I also have all the Auto-Protect stuff on (despite the performance hit).

NAV gives me a window about once a day saying my system is clean. In the past the daily NAV scan would show it was clean one day and the 24-48 hours later it would say it was infected again. (Auto-protect never detected anything).

Do you think NAV could have become infected?

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:44 PM

Posted 12 January 2008 - 03:07 AM

Hi zebraman,

I can see that NAV was running when you did the log, but what I am referring to is the guard. Only one part of your NAV appeared in the startup section of your log (O4s) and not NAV en bloc. Having the guard run in the background is an important thing to stay clean from further infection / re-infection / new infection.

Everything is possible. But from the logs I have seen so far, it is not possible to tell. Once you post the other logs, we are able to tell more about your PC status :thumbsup:

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 14 January 2008 - 10:17 AM

dss.exe Main.txt:

Run by mark on 2008-01-14 10 _linenums:6'>Deckard's System Scanner v20071014.68Run by mark on 2008-01-14 10:06:50Computer is in Normal Mode.---------------------------------------------------------------------------------- Last 5 Restore Point(s) --16: 2008-01-14 05:00:07 UTC - RP152 - Scheduled Checkpoint15: 2008-01-13 05:00:03 UTC - RP151 - Scheduled Checkpoint14: 2008-01-12 11:36:31 UTC - RP150 - Scheduled Checkpoint13: 2008-01-11 05:00:03 UTC - RP149 - Scheduled Checkpoint12: 2008-01-10 05:00:03 UTC - RP148 - Scheduled Checkpoint-- First Restore Point -- 1: 2007-12-30 05:00:01 UTC - RP137 - Scheduled CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as mark.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:11:41 AM, on 1/14/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16575)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exeC:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeC:\Windows\sttray.exeC:\Program Files\TortoiseSVN\bin\TSVNCache.exeC:\Program Files\Intel\IDU\iptray.exeC:\Program Files\Lexmark 4300 Series\lxcemon.exeC:\Program Files\Lexmark 4300 Series\ezprint.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\eFax Messenger 4.3\J2GDllCmd.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Windows\ehome\ehtray.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exeC:\Program Files\Palm\Hotsync.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\MagicDisc\MagicDisc.exeC:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exeC:\Program Files\Wireless Sync\Client\Monitor.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exeC:\Windows\system32\wuauclt.exeC:\Windows\Explorer.EXEC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEC:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exeC:\Users\mark\Desktop\dss.exeC:\Users\mark\Desktop\HIJACK~1\mark.exeC:\Windows\system32\SearchFilterHost.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.contractdesk.com/"]http://www.contractdesk.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startupO4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exeO4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exeO4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /RO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-425920681-3999741084-2353616871-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exeO4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exeO4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - [url="https://www23.wirelesssync.vzw.com/en/SyncInstall.cab"]https://www23.wirelesssync.vzw.com/en/SyncInstall.cab[/url]O17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: Domain = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\..\{7F284B8D-C27E-47D4-B4B5-DA4E6636E7A7}: NameServer = 192.168.11.5,192.168.1.1O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = micropact.comO17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = micropact.comO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dllO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel® DHTrace Controller (DHTRACE) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exeO23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exeO23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exeO23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exeO23 - Service: lxce_device -   - C:\Windows\system32\lxcecoms.exeO23 - Service: Intel® Viiv(tm) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exeO23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exeO23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: Intel® NMSCore (NMSCore) - Intel® Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exeO23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exeO23 - Service: Intel® Quality Manager (QualityManager) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exeO23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe--End of file - 14866 bytes-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper (tm) Disk Defragmenter>R2 DQLWinService - "c:\program files\common files\intel\inteldh\nms\adpplugins\dqlwinservice.exe" <Not Verified; ; DQLWinSe Application>R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exeR2 STacSV (SigmaTel Audio Service) - c:\program files\sigmatel\c-major audio\wdm\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>S2 OpenSSHd (OpenSSH Server) - c:\program files\openssh\bin\cygrunsrv.exeS3 Tomcat5 (Apache Tomcat) - "c:\program files\apache software foundation\tomcat 5.5\bin\tomcat5.exe" //rs//tomcat5 <Not Verified; Apache Software Foundation; Service Runner>S4 VundoFixSvc (VundoFix Service) - vundofixsvc.exe (file missing)-- Device Manager: Disabled ----------------------------------------------------No disabled devices found.-- Scheduled Tasks -------------------------------------------------------------2008-01-14 09:59:08       416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{267AE884-F591-466F-977B-FE190516C2F1}.job2008-01-13 11:20:48       514 --a------ C:\Windows\Tasks\Norton AntiVirus - system32_scan - mark.job2008-01-13 11:20:46       478 --a------ C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - mark.job-- Files created between 2007-12-14 and 2008-01-14 -----------------------------2008-01-14 10:03:23         0 d-------- C:\Users\mark\flexdock2008-01-08 16:31:25         0 d-------- C:\Users\mark\.ireport2008-01-08 16:29:23         0 d-------- C:\Program Files\JasperSoft2007-12-20 16:50:24         0 d-------- C:\Users\mark\oldpalmsd2007-12-19 14:26:55         0 d-------- C:\Program Files\Combined Community Codec Pack2007-12-18 16:22:06         0 d-------- C:\Program Files\LogMeIn2007-12-17 11:51:07         0 d-------- C:\EbuDllTmpDir-- Find3M Report ---------------------------------------------------------------2008-01-14 10:06:17         0 d-------- C:\Users\mark\AppData\Roaming\.purple2008-01-14 09:54:24         0 d-------- C:\Users\mark\AppData\Roaming\Azureus2008-01-12 16:11:33         0 d-------- C:\Program Files\Azureus2008-01-08 12:28:49         0 d-------- C:\Program Files\Lx_cats2007-12-18 17:12:09      1792 --a------ C:\Windows\mozver.dat2007-12-18 11:29:10         0 d-------- C:\Users\mark\AppData\Roaming\Adobe2007-12-17 11:51:15         0 d--h----- C:\Program Files\InstallShield Installation Information2007-12-17 11:51:04         0 d-------- C:\Program Files\Common Files\InstallShield2007-12-10 20:30:50         0 d-------- C:\Program Files\Java2007-12-10 20:29:15         0 d-------- C:\Program Files\Sun2007-12-10 14:55:43         0 d-------- C:\Program Files\DivX2007-12-10 12:28:49         0 d-------- C:\Users\mark\AppData\Roaming\Symantec2007-12-09 13:49:48         0 d-------- C:\Users\mark\AppData\Roaming\IsolatedStorage2007-12-07 13:06:21         0 d-------- C:\Users\mark\AppData\Roaming\mtail2007-12-07 12:36:08         0 d-------- C:\Program Files\WinSCP2007-12-06 19:36:15         0 d-------- C:\Program Files\WinSCPPlus2007-12-06 18:31:56       370 --a------ C:\registry_bak_2007-12-06.reg2007-12-06 18:06:07         0 d-------- C:\Program Files\Sophos2007-12-06 14:47:36         0 d-------- C:\Program Files\DAEMON Tools Pro2007-12-06 12:27:21     74170 ---hs---- C:\Windows\system32\qpqss.ini22007-12-06 11:34:08     70351 ---hs---- C:\Windows\system32\qpqss.bak22007-12-06 10:53:16    130048 --a------ C:\VundoFix.exe <Not Verified; Atribune.org; VundoFix>2007-12-06 10:52:58     96978 --a------ C:\VirtumundoBeGone.exe <Not Verified; Business Information Solutions; VirtumundoBeGone v1.5 by secured2k@msn.com>2007-12-06 08:45:08     69635 ---hs---- C:\Windows\system32\qpqss.bak12007-12-05 12:12:28         0 d-------- C:\Program Files\VideoLAN2007-12-05 11:15:16         0 d-------- C:\Program Files\Microsoft Analysis Services2007-12-05 11:14:38         0 d-------- C:\Program Files\Microsoft SQL Server2007-12-05 11:13:10         0 d-------- C:\Program Files\Microsoft Synchronization Services2007-12-05 11:12:23         0 d-------- C:\Program Files\Microsoft.NET2007-12-05 11:10:00         0 d-------- C:\Program Files\SQLXML 4.02007-12-05 11:09:40         0 d-------- C:\Program Files\Microsoft SQL Server Compact Edition2007-12-05 10:55:28         0 d-------- C:\Program Files\Norton AntiVirus2007-12-05 10:54:33         0 d-------- C:\Program Files\Symantec2007-12-04 17:59:21         0 --a------ C:\ntuser.dat2007-12-03 20:33:18    802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>2007-12-03 20:33:18    823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>2007-12-03 20:33:18    823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>2007-12-03 20:33:16    682496 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>2007-11-30 17:25:21         0 d-------- C:\Program Files\Common Files\Symantec Shared2007-11-29 17:30:28   3596288 --a------ C:\Windows\system32\qt-dx331.dll2007-11-29 17:28:24    196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>2007-11-29 17:28:24     81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>2007-11-28 20:04:37         0 d-------- C:\Program Files\Common Files\PX Storage Engine2007-11-28 20:04:35         0 d-------- C:\Program Files\Common Files2007-11-28 20:02:32         0 d-------- C:\Users\mark\AppData\Roaming\DivX2007-11-28 20:00:12         0 d-------- C:\Users\mark\AppData\Roaming\Newsbin2007-11-28 19:44:12         0 d-------- C:\Program Files\QuickPar2007-11-28 19:06:23         0 d-------- C:\Program Files\NewsBin2007-11-28 16:52:32     12288 --a------ C:\Windows\system32\DivXWMPExtType.dll2007-11-28 13:58:47         0 d-------- C:\Program Files\GrabIt2007-11-26 19:29:35         0 d-------- C:\Program Files\Pan2007-11-26 15:37:06         0 d-------- C:\Program Files\BitLocker2007-11-26 15:36:04         0 d-------- C:\Program Files\Microsoft Games2007-11-26 10:09:05         0 d-------- C:\Users\mark\AppData\Roaming\Apple Computer2007-11-26 10:08:48         0 d-------- C:\Program Files\iTunes2007-11-26 10:08:42         0 d-------- C:\Program Files\iPod2007-11-26 10:08:18         0 d-------- C:\Program Files\QuickTime2007-11-26 10:05:43         0 d-------- C:\Program Files\Common Files\Apple2007-11-25 23:21:02         0 d-------- C:\Users\mark\AppData\Roaming\gtk-2.02007-11-25 21:35:19         0 d-------- C:\Program Files\OpenSSH2007-11-25 14:13:31         0 d-------- C:\Program Files\Common Files\Adobe2007-11-25 13:57:24         0 d-------- C:\Program Files\Bonjour2007-11-25 13:54:40         0 d-------- C:\Program Files\Common Files\Macrovision Shared2007-11-25 13:29:04         0 d-------- C:\Program Files\Apple Software Update2007-11-25 12:44:47         0 d-------- C:\Program Files\GIMP-2.02007-11-23 17:37:09         0 d-------- C:\Users\mark\AppData\Roaming\eFax Messenger2007-11-23 17:32:29         0 d-------- C:\Program Files\eFax Messenger 4.32007-11-23 17:32:24         0 --a------ C:\Windows\system32\eFax_4_3_Port2007-11-16 13:38:13         0 d-------- C:\Program Files\TortoiseSVN2007-11-16 01:19:20         0 d-------- C:\Program Files\Temporary2007-11-15 14:52:21         0 d-------- C:\Program Files\Apache Software Foundation2007-11-15 12:44:19         0 d-------- C:\Program Files\Pidgin2007-11-15 12:44:17         0 d-------- C:\Program Files\Aspell2007-11-15 12:43:22         0 d-------- C:\Program Files\Common Files\GTK2007-11-14 22:05:09         0 d-------- C:\Program Files\Wireless Sync2007-11-14 21:13:55         0 d-------- C:\Users\mark\AppData\Roaming\Leadertech2007-11-14 21:13:02         0 d-------- C:\Program Files\Palm2007-11-14 21:04:08         0 d-------- C:\Users\mark\AppData\Roaming\HotSync2007-11-14 20:12:12         0 d-------- C:\Users\mark\AppData\Roaming\Macromedia2007-11-14 19:25:47         0 d-------- C:\Users\mark\AppData\Roaming\Identities2007-11-14 18:34:28         0 d-------- C:\Program Files\WinAble2007-11-14 18:05:11         0 d-------- C:\Program Files\Microsoft Works2007-11-14 18:05:00         0 d-------- C:\Program Files\MSBuild2007-11-14 18:02:48         0 d-------- C:\Program Files\Microsoft Visual Studio 82007-11-14 17:59:22         0 d-------- C:\Program Files\MagicDisc2007-11-14 17:54:45         0 d-------- C:\Program Files\MagicISO2007-11-14 14:07:43         0 d-------- C:\Users\mark\AppData\Roaming\DAEMON Tools Pro2007-11-14 13:49:37         0 d-------- C:\Users\mark\AppData\Roaming\WinRAR2007-11-14 13:21:50         0 d-------- C:\Users\mark\AppData\Roaming\Nero2007-11-14 13:20:16         0 d-------- C:\Program Files\Common Files\Nero2007-11-14 13:19:22         0 d-------- C:\Program Files\Nero2007-11-14 13:13:37         0 d-------- C:\Program Files\Vim2007-11-14 12:25:13         0 d-------- C:\Program Files\PuTTY2007-11-14 12:13:24         0 d-------- C:\Program Files\Lexmark 4300 Series2007-11-14 11:15:04         0 d-------- C:\Users\mark\AppData\Roaming\Subversion2007-11-13 17:30:08         0 --a------ C:\Windows\nsreg.dat2007-11-13 17:18:07       174 --ahs---- C:\Program Files\desktop.ini2007-10-23 11:17:36   1488896 --a------ C:\mtail.exe <Not Verified; MayOneZ; >-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [07/11/2007 10:26 AM]"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [03/21/2007 01:00 PM]"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [04/06/2007 02:07 PM]"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [04/06/2007 02:11 PM]"SigmatelSysTrayApp"="sttray.exe" [06/07/2007 09:56 PM C:\Windows\sttray.exe]"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [11/15/2006 04:21 PM]"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [12/28/2006 06:07 PM]"LXCECATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [02/22/2007 05:17 AM]"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [05/17/2007 10:11 AM]"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [05/17/2007 10:13 AM]"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 02:57 PM]"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [09/20/2007 08:51 AM]"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [03/06/2007 12:21 PM]"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/22/2006 11:24 PM]"@"="" []"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [03/20/2007 04:40 PM]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [11/14/2007 11:43 PM]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM]"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [08/03/2007 03:09 PM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:34 AM]"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [10/23/2007 02:18 PM]C:\Users\mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [11/14/2007 5:57:59 PM]OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 4:45:42 AM]C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [11/25/2007 2:04:44 PM]Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [10/23/2006 12:01:50 AM]HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]Wireless Sync Client.lnk - C:\Program Files\Wireless Sync\Client\Monitor.exe [8/24/2005 3:41:22 PM][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"=2 (0x2)"EnableLUA"=0 (0x0)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}"= C:\Windows\system32\fccyvvt.dll [ ][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]@="Volume shadow copy"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]@="IEEE 1394 Bus host controllers"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]@="SBP2 IEEE 1394 Devices"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]@="SecurityDevices"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12	Pml Driver HPZ12 Net Driver HPZ12*Newly Created Service* - LMIINFO*Newly Created Service* - LMIRFSDRIVER[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]C:\Windows\system32\unregmp2.exe /ShowWMP[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI-- End of Deckard's System Scanner: finished at 2008-01-14 10:14:42 ------------

Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Ultimate (build 6000)
Architecture _linenums:0'>Deckard's System Scanner v20071014.68Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft® Windows Vista™ Ultimate (build 6000)Architecture: X86; Language: EnglishCPU 0: Intel® Core(tm)2 Quad CPU Q6600 @ 2.40GHzPercentage of Memory in Use: 43%Physical Memory (total/avail): 3578.22 MiB / 2037.13 MiBPagefile Memory (total/avail): 7328.38 MiB / 4627.84 MiBVirtual Memory (total/avail): 2047.88 MiB / 1901.61 MiBC: is Fixed (NTFS) - 465.75 GiB total, 276.83 GiB free. D: is CDROM (No Media)E: is Fixed (NTFS) - 279.47 GiB total, 24.64 GiB free. F: is Removable (No Media)G: is Removable (No Media)H: is Removable (No Media)I: is Removable (No Media)J: is Removable (No Media)M: is CDROM (CDFS)Y: is Network (NTFS)Z: is Network (NTFS)\\.\PHYSICALDRIVE1 - Maxtor 7L300S0 - 279.47 GiB - 1 partition \PARTITION0 - Installable File System - 279.47 GiB - E:\\.\PHYSICALDRIVE0 - RAIDED1 - 465.75 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 465.75 GiB - C:\\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device\\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device\\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device\\.\PHYSICALDRIVE6 - Generic STORAGE DEVICE USB Device\\.\PHYSICALDRIVE2 - Lexmark USB Mass Storage USB Device-- Security Center -------------------------------------------------------------AUOptions is set to notify before install.Windows Internal Firewall is disabled.FW: Norton AntiVirus v2007 (Symantec Corporation)AV: Norton AntiVirus v2007 (Symantec Corporation)AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) DisabledAS: Norton AntiVirus v2007 (Symantec Corporation) Outdated[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List][HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\mark\AppData\RoamingCLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zipCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=TOWERComSpec=C:\Windows\system32\cmd.exeCYGWIN=ttyFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\markJAVA_HOME=c:\program files\java\jdk1.6.0_03lib=C:\Program Files\SQLXML 4.0\bin\LOCALAPPDATA=C:\Users\mark\AppData\LocalLOGONSERVER=\\TOWERNUMBER_OF_PROCESSORS=4OS=Windows_NTPath=c:\program files\java\jdk1.6.0_03\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Diskeeper Corporation\Diskeeper\;C:\Program Files\OpenSSH\bin;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Common Files\Nero\Lib\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=0f0bProgramData=C:\ProgramDataProgramFiles=C:\Program FilesPROMPT=$P$GPUBLIC=C:\Users\PublicQTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zipSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\mark\AppData\Local\TempTMP=C:\Users\mark\AppData\Local\TempUSERDOMAIN=towerUSERNAME=markUSERPROFILE=C:\Users\markwindir=C:\Windows-- User Profiles ---------------------------------------------------------------mark (admin)IUSR_NMPR-- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER --> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\Windows\UNNeroBackItUp.exe /UNINSTALL --> C:\Windows\UNNeroMediaHome.exe /UNINSTALL --> C:\Windows\UNNeroShowTime.exe /UNINSTALL --> C:\Windows\UNNeroVision.exe /UNINSTALL --> C:\Windows\UNRecode.exe /UNINSTALL --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095} --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\setup.exe" 2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}Add or Remove Adobe Creative Suite 3 Web Premium --> C:\Program Files\Common Files\Adobe\Installers\247961ef275e20c5cb073c36394ac32\Setup.exeAdobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}Adobe BridgeTalk Plugin CS3 --> MsiExec.exe /I{B7F560B3-6EFF-4026-A982-843895A41149}Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}Adobe Contribute CS3 --> MsiExec.exe /I{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}Adobe Creative Suite 3 Web Premium --> MsiExec.exe /I{C347D234-93D8-4595-BDAA-C04638B23B48}Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}Adobe Fireworks CS3 --> MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exeAdobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exeAdobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}Adobe Illustrator CS3 --> MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A}Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}Adobe MotionPicture Color Files --> MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}Adobe Setup --> MsiExec.exe /I{6A5D1A94-624A-4D20-B178-3A283B500370}Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}Adobe Version Cue CS3 Server --> MsiExec.exe /I{1D58229F-C505-45CA-8223-F35F3A34B963}Adobe WAS CS3 --> MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}AHV content for Acrobat and Flash --> MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}Apache Tomcat 5.5 (remove only) --> "C:\Program Files\Apache Software Foundation\Tomcat 5.5\Uninstall.exe"AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}Aspell English Dictionary-0.50-2 --> "C:\Program Files\Aspell\unins001.exe"AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}Azureus Vuze --> C:\Program Files\Azureus\uninstall.execcCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"Diskeeper Home --> MsiExec.exe /X{796E076A-82F7-4D49-98C8-DEC0C3BC733A}DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODECDivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADERDivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTERDivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYERDivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGINDolby Control Center Link --> MsiExec.exe /I{DCAF959E-BE84-4E56-91B1-3E962AED5BF4}eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exeGIMP 2.4.2 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"GNU Aspell 0.50-3 --> "C:\Program Files\Aspell\unins000.exe"GrabIt 1.6.2 Beta (build 940) --> "C:\Program Files\GrabIt\unins000.exe"GTK+ Runtime 2.12.1 rev a (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exeHijackThis 2.0.2 --> "C:\Users\mark\Desktop\HiJackThis\HijackThis.exe" /uninstallIntel® Desktop Utilities --> C:\Program Files\InstallShield Installation Information\{F5982296-84CC-4D5B-B791-B03650F3380E}\setup.exe -runfromtemp -l0x0409Intel® Management Engine Interface --> C:\Windows\system32\heciudlg.exe -uninstallIntel® Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exeIntel® PRO Network Connections 12.1.12.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1Intel® PRO Network Connections 12.1.12.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1Intel® SMBus --> C:\Windows\system32\ismbun.exe -uninstallIntel® Viiv(tm) Software --> MsiExec.exe /X{0DAA5653-60D4-44C1-AD10-EC7D4FA4D820} /qb!Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}iReport 2.0.3 --> C:\Program Files\JasperSoft\iReport-2.0.3\uninst.exeiTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}Java DB 10.2.2.0 --> MsiExec.exe /X{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}Java(tm) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}Java(tm) SE Development Kit 6 Update 3 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160030}Lexmark 4300 Series --> C:\Program Files\Lexmark 4300 Series\Install\x86\Uninst.exeLiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /ULiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}Magic ISO Maker v5.3 (build 0221) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOGMagicDisc 2.5.79 --> C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOGMicrosoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLLMicrosoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{91446211-CCEF-48E8-AECC-54114629CE4E}Microsoft SQL Server 2008 --> "C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\setup100.exe" /ACTION=uninstall /BOOTSTRAPACTION=BOOTSTRAPNOCU Microsoft SQL Server 2008 --> "C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\setup100.exe" /ACTION=uninstall /BOOTSTRAPACTION=BOOTSTRAPNOCU /SKU=DEV Microsoft SQL Server 2008 --> MsiExec.exe /I{8151C56C-5426-481C-96AF-F221FE1A10F2}Microsoft SQL Server 2008 Books Online --> MsiExec.exe /I{40CB3F61-5BF0-4340-BF9E-7E185861FB49}Microsoft SQL Server 2008 Browser --> MsiExec.exe /X{13183147-F211-4948-8D5B-8E893F7DD02F}Microsoft SQL Server 2008 Native Client --> MsiExec.exe /I{4C75D0B7-C30E-4EBD-B629-1263985B1A2A}Microsoft SQL Server 2008 Setup Support Files (English) --> MsiExec.exe /X{6C6439B7-B882-43C6-B306-4D51B8484837}Microsoft SQL Server 2008 Tools --> MsiExec.exe /I{433054F5-3929-426F-AE87-13666694365C}Microsoft SQL Server Compact 3.5 SP1 Beta ENU --> MsiExec.exe /I{2408C7B3-A3C2-4F95-B14F-92FC0EC1229D}Microsoft SQL Server Compact 3.5 SP1 Beta Management Tools ENU --> MsiExec.exe /I{DE1BCE47-F70D-4F8B-9F04-F9E637E45B99}Microsoft SQL Server VSS Writer --> MsiExec.exe /I{4BD48CCB-AACD-43CF-8C27-A9D9971DC9C5}Microsoft Visual Studio 2005 Tools for Applications - ENU --> MsiExec.exe /X{D481EA96-2313-4A7C-98EE-710D1AF884AC}Microsoft Visual Studio 2005 Tools for Applications - ENU --> MsiExec.exe /X{D481EA96-2313-4A7C-98EE-710D1AF884AC}Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exeMSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}Nero 8 --> MsiExec.exe /X{919635D1-5C0D-4B64-B724-BDDB31D11033}neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}NewsBin Pro V5 --> C:\Program Files\NewsBin\uninst.exeNorton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_2_0_29\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /XNorton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}OpenSSH for Windows (remove only) --> "C:\Program Files\OpenSSH\uninstall.exe"Palm --> MsiExec.exe /X{D2DEA1ED-F9D0-401D-9714-6FA8E89EF9D7}Pan --> MsiExec.exe /X{4030F0B2-FC38-4261-B242-E4377B583BDA}PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}Pidgin --> C:\Program Files\Pidgin\pidgin-uninst.exePuTTY version 0.60 --> "C:\Program Files\PuTTY\unins000.exe"QuickPar 0.9 --> C:\Program Files\QuickPar\uninst.exeQuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonlySophos Anti-Rootkit 1.3.1 --> C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe removeSPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}SQLXML4 --> MsiExec.exe /I{C6172BEC-7DB9-4657-BE94-0D070DA5F3A8}Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}TortoiseSVN 1.4.5.10425 (32 bit) --> MsiExec.exe /X{F4BBA950-56F0-4335-8D93-EE64BFF593A0}Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}Vim 7.1 (self-installing) --> C:\Program Files\Vim\vim71\uninstall-gui.exeWinAble --> "C:\Program Files\WinAble\winable.exe" -uninstallWinRAR archiver --> C:\Program Files\WinRAR\uninstall.exeWinSCP 4.0.5 --> "C:\Program Files\WinSCP\unins000.exe"Wireless Sync Client --> MsiExec.exe /X{5F20B339-A3E0-4DD5-8DF7-D5AB47894643}-- Application Event Log -------------------------------------------------------Event Record #/Type74279 / ErrorEvent Submitted/Written: 12/19/2007 02:41:08 PMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application wmplayer.exe, version 11.0.6000.6344, time stamp 0x46e5f12e, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x08b7c530,process id 0xbb0, application start time 0xwmplayer.exe0.Event Record #/Type74239 / ErrorEvent Submitted/Written: 12/17/2007 11:40:18 PMEvent ID/Source: 1000 / Application ErrorEvent Description:Faulting application Explorer.EXE, version 6.0.6000.16549, time stamp 0x46d230c5, faulting module MSVCR80.dll, version 8.0.50727.762, time stamp 0x45712238, exception code 0xc000000d, fault offset 0x00008a8c,process id 0x98c, application start time 0xExplorer.EXE0.Event Record #/Type74207 / SuccessEvent Submitted/Written: 12/17/2007 00:02:29 PMEvent ID/Source: 5617 / WinMgmtEvent Description:Event Record #/Type74206 / SuccessEvent Submitted/Written: 12/17/2007 00:02:28 PMEvent ID/Source: 5615 / WinMgmtEvent Description:Event Record #/Type74182 / SuccessEvent Submitted/Written: 12/17/2007 00:02:12 PMEvent ID/Source: 902 / Software Licensing ServiceEvent Description:The Software Licensing service has started.-- Security Event Log ----------------------------------------------------------No Errors/Warnings found.-- System Event Log ------------------------------------------------------------Event Record #/Type8512 / WarningEvent Submitted/Written: 01/14/2008 03:02:45 AMEvent ID/Source: 4 / Client Side Rendering SpoolerEvent Description:The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.Event Record #/Type8511 / WarningEvent Submitted/Written: 01/14/2008 03:02:45 AMEvent ID/Source: 4 / Client Side Rendering SpoolerEvent Description:The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.Event Record #/Type8510 / WarningEvent Submitted/Written: 01/14/2008 02:09:17 AMEvent ID/Source: 36 / W32TimeEvent Description:The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.Event Record #/Type8505 / WarningEvent Submitted/Written: 01/13/2008 06:43:27 PMEvent ID/Source: 51 / cdromEvent Description:An error was detected on device \Device\CdRom0 during a paging operation.Event Record #/Type8504 / WarningEvent Submitted/Written: 01/13/2008 06:43:11 PMEvent ID/Source: 51 / cdromEvent Description:An error was detected on device \Device\CdRom0 during a paging operation.-- End of Deckard's System Scanner: finished at 2008-01-14 10:14:42 ------------


#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:44 PM

Posted 14 January 2008 - 04:13 PM

Hey Zebraman,

Step #1

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\Windows\system32\qpqss.ini2
    C:\Windows\system32\qpqss.bak2
    C:\VundoFix.exe
    C:\VirtumundoBeGone.exe
    C:\Windows\system32\qpqss.bak1
    C:\Windows\system32\fccyvvt.dll
    
    Driver::
    VundoFixSvc
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}"=-
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Step #3

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Please post back with the ComboFix log and the Kaspersky Onlinescan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 15 January 2008 - 10:46 AM

Ok, just so you know, I posted the Deckard's right when it finished, and although I started the ESET, it didn't finish until late last night. Here are the results (I have not yet run the rest of your instructions).

While ESET found this Morph2020.exe infected file, I never execute anything out of that folder, so there still must be something else that either launches that ESET didn't remove.

[codebox]# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2790 (20080114)
# vers_arch_module=1.061 (20080110)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=407040f74886a74d9b4b9b513d643928
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-01-15 01:00:35
# local_time=2008-01-14 08:00:35 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.0.6000 NT
# scanned=3216559
# found=6
# scan_time=34153
C:\Deckard\System Scanner\backup\Users\mark\AppData\Local\Temp\removalfile.bat Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
E:\Music\to_sort\muzak\incoming\Morph2020.exe multiple infiltrations (deleted) 00000000000000000000000000000000
E:\Music\to_sort\muzak\incoming\Morph2020.exe »WISE »IPinsight.EXE Win32/TrojanDownloader.Stubby.B trojan (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\Music\to_sort\muzak\incoming\Morph2020.exe »WISE »IPinsight.EXE »WISE »Sentry.exe Win32/TrojanDownloader.Stubby.B trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\Music\to_sort\muzak\incoming\Morph2020.exe »WISE »msc.exe a variant of Win32/Adware.WurldMedia application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
E:\Music\to_sort\muzak\incoming\Morph2020.exe »WISE »msc.exe »WISE »mbho.dll a variant of Win32/Adware.WurldMedia application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
[/codebox]

#13 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 15 January 2008 - 11:17 AM

Ok, when I drag the CFScript.txt to ComboFix I get an "OutOfMemory" notice and then Vista says REG.EXE crashed
with the following:

Problem signature:  Problem Event Name:	APPCRASH  Application Name:	swreg.cfexe  Application Version:	2.0.1.11  Application Timestamp:	2a425e19  Fault Module Name:	ntdll.dll  Fault Module Version:	6.0.6000.16386  Fault Module Timestamp:	4549bdc9  Exception Code:	c0000005  Exception Offset:	00061f2a  OS Version:	6.0.6000.2.0.0.256.1  Locale ID:	1033  Additional Information 1:	463a  Additional Information 2:	f2c4e1da8b9f491e45e47fb1e59f486f  Additional Information 3:	1e38  Additional Information 4:	149386262ab6cef9a575f25e847fbb96Read our privacy statement:  [url="http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409"]http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409[/url]

I attempted to proceed anyways, and will let you know the outcome.

#14 zebraman

zebraman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 15 January 2008 - 11:44 AM

Output of ComboFix (please note error in previous post):

ComboFix 08-01-15.4 - mark 2008-01-15 11:17:57.1 - NTFSx86Microsoft® Windows Vista™ Ultimate   6.0.6000.0.1252.1.1033.18.2042 [GMT -5:00]Running from: C:\Users\mark\Desktop\ComboFix.exeCommand switches used :: C:\Users\mark\Desktop\CFScript.txt * Created a new restore pointFILEC:\VirtumundoBeGone.exeC:\VundoFix.exeC:\Windows\system32\fccyvvt.dllC:\Windows\system32\qpqss.bak1C:\Windows\system32\qpqss.bak2C:\Windows\system32\qpqss.ini2.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Program Files\TemporaryC:\Program Files\WinAbleC:\VirtumundoBeGone.exeC:\VundoFix.exeC:\Windows\System32\acyytlba.iniC:\Windows\System32\dohtkbrt.iniC:\Windows\System32\jxsugnfo.iniC:\Windows\System32\kvndbcku.iniC:\Windows\system32\mcrh.tmpC:\Windows\System32\qpqss.bak1C:\Windows\System32\qpqss.bak2C:\Windows\System32\qpqss.iniC:\Windows\System32\qpqss.ini2C:\Windows\System32\qpqss.tmpC:\Windows\System32\tfhitvpy.iniC:\Windows\System32\ynpasdgd.iniC:\Windows\System32\yogsucsy.ini.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\LEGACY_VUNDOFIXSVC-------\VundoFixSvc(((((((((((((((((((((((((   Files Created from 2007-12-15 to 2008-01-15  ))))))))))))))))))))))))))))))).2008-01-15 11:15 . 2000-08-31 08:00	51,200	--a------	C:\Windows\NirCmd.exe2008-01-14 10:20 . 2008-01-14 10:30	<DIR>	d--------	C:\Program Files\EsetOnlineScanner2008-01-14 10:06 . 2008-01-14 10:06	<DIR>	d--------	C:\Deckard2008-01-14 10:03 . 2008-01-14 10:03	<DIR>	d--------	C:\Users\mark\flexdock2008-01-08 16:31 . 2008-01-08 16:31	<DIR>	d--------	C:\Users\mark\.ireport2008-01-08 16:29 . 2008-01-08 16:29	<DIR>	d--------	C:\Program Files\JasperSoft2007-12-20 16:50 . 2007-12-20 16:51	<DIR>	d--------	C:\Users\mark\oldpalmsd2007-12-19 14:26 . 2007-12-19 14:26	<DIR>	d--------	C:\Program Files\Combined Community Codec Pack2007-12-18 16:22 . 2008-01-15 11:17	<DIR>	d--------	C:\Program Files\LogMeIn2007-12-18 16:22 . 2007-11-15 18:46	87,352	--a------	C:\Windows\System32\LMIinit.dll2007-12-18 16:22 . 2007-11-15 18:46	83,288	--a------	C:\Windows\System32\LMIRfsClientNP.dll2007-12-18 16:22 . 2007-08-03 15:09	46,112	--a------	C:\Windows\System32\drivers\LMIRfsDriver.sys2007-12-18 16:22 . 2007-11-15 18:46	21,496	--a------	C:\Windows\System32\LMIport.dll2007-12-18 16:22 . 2007-12-18 16:22	1,024	--a------	C:\.rnd2007-12-17 11:51 . 2007-12-17 11:51	<DIR>	d--------	C:\EbuDllTmpDir.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-01-15 15:56	---------	d-----w	C:\Users\mark\AppData\Roaming\Azureus2008-01-15 05:25	---------	d-----w	C:\ProgramData\SyncClient2008-01-14 15:06	---------	d-----w	C:\Users\mark\AppData\Roaming\.purple2008-01-12 21:11	---------	d-----w	C:\Program Files\Azureus2008-01-08 19:39	---------	d-----w	C:\ProgramData\Microsoft Help2008-01-08 17:28	---------	d-----w	C:\Program Files\Lx_cats2007-12-17 16:51	---------	d--h--w	C:\Program Files\InstallShield Installation Information2007-12-17 16:51	---------	d-----w	C:\Program Files\Common Files\InstallShield2007-12-13 04:00	52,736	----a-w	C:\Windows\AppPatch\iebrshim.dll2007-12-13 03:52	84,992	----a-w	C:\Windows\system32\drivers\srvnet.sys2007-12-13 03:52	58,368	----a-w	C:\Windows\system32\drivers\mrxsmb20.sys2007-12-13 03:52	130,048	----a-w	C:\Windows\system32\drivers\srv2.sys2007-12-13 03:52	101,888	----a-w	C:\Windows\system32\drivers\mrxsmb.sys2007-12-11 02:20	---------	d-----w	C:\ProgramData\Symantec2007-12-11 01:30	---------	d-----w	C:\Program Files\Java2007-12-11 01:29	---------	d-----w	C:\Program Files\Sun2007-12-10 19:55	---------	d-----w	C:\Program Files\DivX2007-12-10 17:28	---------	d-----w	C:\Users\mark\AppData\Roaming\Symantec2007-12-09 18:49	---------	d-----w	C:\Users\mark\AppData\Roaming\IsolatedStorage2007-12-07 18:06	---------	d-----w	C:\Users\mark\AppData\Roaming\mtail2007-12-07 17:36	---------	d-----w	C:\Program Files\WinSCP2007-12-07 00:36	---------	d-----w	C:\Program Files\WinSCPPlus2007-12-06 23:31	370	----a-w	C:\registry_bak_2007-12-06.reg2007-12-06 23:06	---------	d-----w	C:\Program Files\Sophos2007-12-06 19:47	---------	d-----w	C:\Program Files\DAEMON Tools Pro2007-12-05 17:12	---------	d-----w	C:\Program Files\VideoLAN2007-12-05 16:15	---------	d-----w	C:\Program Files\Microsoft Analysis Services2007-12-05 16:14	---------	d-----w	C:\Program Files\Microsoft SQL Server2007-12-05 16:13	---------	d-----w	C:\Program Files\Microsoft Synchronization Services2007-12-05 16:12	---------	d-----w	C:\Program Files\Microsoft.NET2007-12-05 16:10	---------	d-----w	C:\Program Files\SQLXML 4.02007-12-05 16:09	---------	d-----w	C:\Program Files\Microsoft SQL Server Compact Edition2007-12-05 15:55	---------	d-----w	C:\Program Files\Norton AntiVirus2007-12-05 15:54	805	----a-w	C:\Windows\system32\drivers\SYMEVENT.INF2007-12-05 15:54	123,952	----a-w	C:\Windows\system32\drivers\SYMEVENT.SYS2007-12-05 15:54	10,740	----a-w	C:\Windows\system32\drivers\SYMEVENT.CAT2007-12-05 15:54	---------	d-----w	C:\Program Files\Symantec2007-12-04 22:59	0	----a-w	C:\ntuser.dat2007-12-01 04:57	43,696	----a-w	C:\Windows\system32\drivers\srtspx.sys2007-12-01 04:57	317,616	----a-w	C:\Windows\system32\drivers\srtspl.sys2007-12-01 04:57	279,088	----a-w	C:\Windows\system32\drivers\srtsp.sys2007-12-01 04:57	10,549	----a-w	C:\Windows\system32\drivers\srtspx.cat2007-12-01 04:57	10,549	----a-w	C:\Windows\system32\drivers\srtspl.cat2007-12-01 04:57	10,545	----a-w	C:\Windows\system32\drivers\srtsp.cat2007-12-01 04:57	1,430	----a-w	C:\Windows\system32\drivers\srtspl.inf2007-12-01 04:57	1,421	----a-w	C:\Windows\system32\drivers\srtspx.inf2007-12-01 04:57	1,415	----a-w	C:\Windows\system32\drivers\srtsp.inf2007-11-30 22:25	---------	d-----w	C:\Program Files\Common Files\Symantec Shared2007-11-29 01:04	---------	d-----w	C:\Program Files\Common Files\PX Storage Engine2007-11-29 01:02	---------	d-----w	C:\Users\mark\AppData\Roaming\DivX2007-11-29 01:00	---------	d-----w	C:\Users\mark\AppData\Roaming\Newsbin2007-11-29 00:44	---------	d-----w	C:\Program Files\QuickPar2007-11-29 00:06	---------	d-----w	C:\Program Files\NewsBin2007-11-28 18:58	---------	d-----w	C:\Program Files\GrabIt2007-11-27 00:29	---------	d-----w	C:\Program Files\Pan2007-11-26 20:37	---------	d-----w	C:\Program Files\BitLocker2007-11-26 20:36	---------	d-----w	C:\Program Files\Microsoft Games2007-11-26 15:09	---------	d-----w	C:\Users\mark\AppData\Roaming\Apple Computer2007-11-26 15:08	---------	d-----w	C:\ProgramData\Apple Computer2007-11-26 15:08	---------	d-----w	C:\Program Files\QuickTime2007-11-26 15:08	---------	d-----w	C:\Program Files\iTunes2007-11-26 15:08	---------	d-----w	C:\Program Files\iPod2007-11-26 15:05	---------	d-----w	C:\Program Files\Common Files\Apple2007-11-26 04:21	---------	d-----w	C:\Users\mark\AppData\Roaming\gtk-2.02007-11-26 02:35	---------	d-----w	C:\Program Files\OpenSSH2007-11-25 19:14	---------	d-----w	C:\ProgramData\FLEXnet2007-11-25 19:13	---------	d-----w	C:\Program Files\Common Files\Adobe2007-11-25 19:11	---------	d-----w	C:\ProgramData\ALM2007-11-25 18:57	---------	d-----w	C:\Program Files\Bonjour2007-11-25 18:54	---------	d-----w	C:\Program Files\Common Files\Macrovision Shared2007-11-25 18:29	---------	d-----w	C:\ProgramData\Apple2007-11-25 18:29	---------	d-----w	C:\Program Files\Apple Software Update2007-11-25 17:44	---------	d-----w	C:\Program Files\GIMP-2.02007-11-23 22:37	---------	d-----w	C:\Users\mark\AppData\Roaming\eFax Messenger2007-11-23 22:32	---------	d-----w	C:\ProgramData\eFax Messenger 4.3 Setup2007-11-23 22:32	---------	d-----w	C:\ProgramData\eFax Messenger 4.3 Output2007-11-23 22:32	---------	d-----w	C:\Program Files\eFax Messenger 4.32007-11-16 18:38	---------	d-----w	C:\Program Files\TortoiseSVN2007-11-15 19:52	---------	d-----w	C:\Program Files\Apache Software Foundation2007-11-15 17:44	---------	d-----w	C:\Program Files\Pidgin2007-11-15 17:44	---------	d-----w	C:\Program Files\Aspell2007-11-15 17:43	---------	d-----w	C:\Program Files\Common Files\GTK2007-11-15 03:05	---------	d-----w	C:\Program Files\Wireless Sync2007-11-15 02:13	---------	d-----w	C:\Users\mark\AppData\Roaming\Leadertech2007-11-15 02:13	---------	d-----w	C:\Program Files\Palm2007-11-15 02:06	---------	d-----w	C:\ProgramData\HotSync2007-11-15 02:04	53,248	----a-w	C:\Windows\PalmDevC.dll2007-11-15 02:04	16,694	----a-w	C:\Windows\system32\drivers\PalmUSBD.sys2007-11-15 02:04	---------	d-----w	C:\Users\mark\AppData\Roaming\HotSync2007-11-13 23:41	2,923,520	----a-w	C:\Windows\explorer.exe2007-11-13 22:18	174	--sha-w	C:\Program Files\desktop.ini2007-10-23 19:20	972,072	----a-w	C:\Windows\UNNeroMediaHome.exe2007-10-23 16:17	1,488,896	----a-w	C:\mtail.exe2007-10-22 13:51	972,072	----a-w	C:\Windows\UNRecode.exe.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]@={30351346-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]@={30351347-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]@={30351348-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]2007-08-26 11:40	536576	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-11 10:26 1006264]"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 13:00 174872]"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 14:07 439768]"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-04-06 14:11 215512]"SigmatelSysTrayApp"="sttray.exe" [2007-06-07 21:56 303104 C:\Windows\sttray.exe]"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 16:21 217176]"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [2006-12-28 18:07 2242328]"LXCECATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2007-02-22 05:17 73728]"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2007-05-17 10:11 205744]"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2007-05-17 10:13 103344]"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51 1836328]"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21 116224]"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 15:09 63048]C:\Users\mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-11-14 17:57:59]OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42]C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2007-11-25 14:04:44]Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50]HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]Wireless Sync Client.lnk - C:\Program Files\Wireless Sync\Client\Monitor.exe [2005-08-24 15:41:22][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableLUA"= 0 (0x0)R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\IDS-DI~1\20080114.001\IDSvix86.sys [2007-11-06 16:58]R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2007-02-12 10:46]R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]R2 NMSCore;Intel® NMSCore;"C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe" [2007-04-06 14:07]R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 20:34]R2 osaio;osaio;C:\Windows\system32\drivers\osaio.sys [2007-11-13 15:38]R2 QualityManager;Intel® Quality Manager;"C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe" [2007-04-06 14:10]R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-11-09 03:01]R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2007-11-13 14:56]R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]S2 OpenSSHd;OpenSSH Server;C:\Program Files\OpenSSH\bin\cygrunsrv.exe [2004-04-18 06:11]S3 DHTRACE;Intel® DHTrace Controller;C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 14:08]S3 Tomcat5;Apache Tomcat;"C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" [2007-08-24 18:35]S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2007-11-09 03:01]S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-10-26 13:45]S4 RsFx0100;RsFx0100 Driver;C:\Windows\system32\DRIVERS\RsFx0100.sys [2007-11-09 03:07][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12.Contents of the 'Scheduled Tasks' folder"2008-01-15 15:36:27 C:\Windows\Tasks\Norton AntiVirus - Run Full System Scan - mark.job"- C:\Program Files\Norton AntiVirus\Navw32.exeB/TASK:"2008-01-13 16:20:48 C:\Windows\Tasks\Norton AntiVirus - system32_scan - mark.job"- C:\Program Files\Norton AntiVirus\Navw32.exe"2008-01-15 07:39:09 C:\Windows\Tasks\User_Feed_Synchronization-{267AE884-F591-466F-977B-FE190516C2F1}.job"- C:\Windows\system32\msfeedssync.exe.**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2008-01-15 11:26:08Windows 6.0.6000  NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2008-01-15 11:33:05 - machine was rebootedComboFix-quarantined-files.txt  2008-01-15 16:33:02.2007-12-13 04:05:55	--- E O F ---

Also previously I removed these files:

C:\Windows\System32\qpqss.bak1
C:\Windows\System32\qpqss.bak2

by hand (multiple times) but the trojan/malware/virus/whatever kept bringing it back. It was funny, cuz NAV found the virus again (still reported as vundo) sometime on the 13th. Seems like he never wants to go away. Friend-for-life or something.

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:44 PM

Posted 17 January 2008 - 12:45 PM

hey zebraman,

Step #1

Now please delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

E:\Music\to_sort\muzak\incoming\Morph2020.exe
C:\Deckard\System Scanner\backup


Step #2

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #3

Please do another scan with the NOD32 scanner.

Step #4

Please post back with another NOD32 Onlinescan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users