Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started As Vundo.b Infection, Now It's Just Taunting Me


  • This topic is locked This topic is locked
10 replies to this topic

#1 MBLEIGH

MBLEIGH

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 01 May 2008 - 12:34 PM

I've been working for days trying to clean my box up and seem to get a little ways and then end up finding more. I've now decided to defer to the experts. I tried running dss, but when I double-click on the icon, it get's deleted from my desktop. I ran Malwarebytes and it found a bit and deleted. I ran combofix and the log I received is below as well as the Hijackthis.


Combofix log:

ComboFix 08-04-29.5 - LEIU1I 2008-05-01 10:55:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1312 [GMT -4:00]
Running from: C:\Documents and Settings\LEIU1I\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LEIU1I\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\IRqprXyb.ini
C:\WINDOWS\system32\IRqprXyb.ini2
C:\WINDOWS\system32\x64

----- BITS: Possible infected sites -----

hxxp://VPSMSVER1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SZKG5
-------\Service_szkg5
-------\Legacy_ASBroker
-------\Service_ASBroker


((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-05-01 10:31 . 2008-05-01 10:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-01 10:31 . 2008-05-01 10:31 <DIR> d-------- C:\Documents and Settings\LEIU1I\Application Data\Malwarebytes
2008-05-01 10:31 . 2008-05-01 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-01 09:26 . 2008-05-01 09:26 244 --ah----- C:\sqmnoopt02.sqm
2008-05-01 09:26 . 2008-05-01 09:26 232 --ah----- C:\sqmdata02.sqm
2008-04-30 10:59 . 2008-04-30 10:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 10:59 . 2008-04-30 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 09:10 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-04-30 09:09 . 2004-08-03 23:32 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-04-30 09:08 . 2001-08-23 08:00 2,178,131 --a--c--- C:\WINDOWS\system32\dllcache\shvlres.dll
2008-04-30 09:07 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-30 09:06 . 2004-08-04 00:56 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-04-30 09:05 . 2001-08-23 08:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-30 09:04 . 2001-08-23 08:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-04-30 09:03 . 2001-08-23 08:00 471,102 --a--c--- C:\WINDOWS\system32\dllcache\imskdic.dll
2008-04-30 09:02 . 2001-08-23 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-30 09:01 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-04-30 09:00 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-04-30 08:59 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-04-30 08:58 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-04-30 08:57 . 2001-08-23 08:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-04-30 08:56 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-04-30 08:55 . 2001-08-23 08:00 1,817,687 --a--c--- C:\WINDOWS\system32\dllcache\bckgres.dll
2008-04-30 08:54 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-04-30 08:53 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-04-30 08:52 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-04-30 08:51 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-04-30 08:51 . 2003-03-24 16:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\admin.exe
2008-04-28 13:05 . 2008-04-28 13:05 1,773 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq 6910p (GH715AW#ABA)_YN_0U_QCND804140L_EU_46_I30BE_SHP_VKBC Version 68.32_B68MCU Ver. F.0A_T070913_WXP2_L409_M2008_J80_7Intel_8Core2 Duo T7300_91.99_#080428_N80861049_(GH715AW#ABA)_XMOBILE.MRK
2008-04-28 13:03 . 2002-10-15 11:13 32,356 --------- C:\WINDOWS\system32\pusbfd1.sys
2008-04-28 13:03 . 2002-10-15 11:13 26,629 --------- C:\WINDOWS\system32\pusbfd2.vxd
2008-04-28 13:02 . 2006-04-19 07:50 17,152 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-04-28 12:35 . 2008-04-28 12:35 268 --ah----- C:\sqmdata01.sqm
2008-04-28 12:35 . 2008-04-28 12:35 244 --ah----- C:\sqmnoopt01.sqm
2008-04-28 12:34 . 2008-04-28 13:50 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2008-04-28 08:38 . 2008-04-28 08:38 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-28 08:38 . 2008-04-28 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 08:36 . 2008-04-28 08:37 9,722,720 --a------ C:\spybotsd152.exe
2008-04-28 08:19 . 2008-04-28 08:19 <DIR> d-------- C:\VundoFix Backups
2008-04-25 16:21 . 2008-04-25 16:21 268 --ah----- C:\sqmdata00.sqm
2008-04-25 16:21 . 2008-04-25 16:21 244 --ah----- C:\sqmnoopt00.sqm
2008-04-25 16:14 . 2008-04-25 16:20 <DIR> d-------- C:\Program Files\Windows Live
2008-04-25 16:14 . 2008-04-25 16:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-25 16:13 . 2008-04-25 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-25 13:33 . 2004-08-03 23:00 22,016 --a------ C:\WINDOWS\system32\drivers\MSIRCOMM.sys
2008-04-25 13:33 . 2004-08-03 23:00 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-04-25 13:12 . 2008-04-25 13:12 <DIR> d-------- C:\Program Files\STOPzilla!
2008-04-25 13:12 . 2008-04-25 13:12 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-04-25 13:12 . 2008-05-01 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-25 13:12 . 2008-05-01 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-25 10:38 . 2008-04-25 10:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-25 10:36 . 2008-04-28 13:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 10:36 . 2008-04-25 10:37 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-25 10:33 . 2008-04-25 10:33 491 --a------ C:\WINDOWS\iScreensaver.ini
2008-04-25 10:13 . 2008-04-29 16:11 <DIR> d-------- C:\temp
2008-04-25 09:59 . 2008-04-25 09:59 454,656 --a------ C:\putty.exe
2008-04-25 09:45 . 2008-04-25 11:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-25 09:43 . 2008-04-29 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-04-24 14:44 . 2008-04-24 15:49 <DIR> d-------- C:\Program Files\Flexense
2008-04-24 14:44 . 2008-04-24 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Flexense
2008-04-24 11:34 . 2008-04-24 11:34 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-23 09:07 . 2008-04-30 11:15 493 --a------ C:\users.csv
2008-04-23 08:44 . 2008-04-23 08:44 <DIR> d-------- C:\Program Files\HP
2008-04-23 08:32 . 2007-09-18 10:46 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-04-23 08:24 . 2008-04-28 13:03 <DIR> d-------- C:\SWSetup
2008-04-23 08:24 . 2007-09-18 11:15 147,456 --a------ C:\WINDOWS\system32\igfxCoIn_v4873.dll
2008-04-23 08:24 . 2007-09-18 11:08 104,636 --a------ C:\WINDOWS\system32\igmedcompkrn.dll
2008-04-23 08:07 . 2008-04-23 08:07 <DIR> d-------- C:\Documents and Settings\LEIU1I\Application Data\ICAClient
2008-04-22 22:00 . 2008-04-22 22:00 <DIR> d-------- C:\Program Files\Citrix
2008-04-22 22:00 . 2008-04-22 22:00 36 --a------ C:\WINDOWS\WEBICA.INI
2008-04-22 08:16 . 2008-04-22 08:16 <DIR> d-------- C:\Documents and Settings\LEIU1I\Application Data\Funk Software
2008-04-22 08:14 . 2008-04-22 08:14 <DIR> d-------- C:\Program Files\Funk Software
2008-04-22 08:14 . 2008-04-22 08:14 <DIR> d-------- C:\Program Files\Common Files\Funk Software
2008-04-22 08:14 . 2008-04-22 08:14 532,558 --a------ C:\WINDOWS\system32\odGinaLibrary.dll
2008-04-22 08:14 . 2008-04-22 08:14 139,330 --a------ C:\WINDOWS\system32\odyGina.dll
2008-04-22 08:14 . 2008-04-22 08:14 106,496 --a------ C:\WINDOWS\system32\odyEvent.dll
2008-04-22 08:14 . 2008-04-22 08:15 70 --a------ C:\WINDOWS\init.ini
2008-04-18 13:28 . 2007-02-23 06:51 1,062,400 --a------ C:\WBDEM44I.DLL
2008-04-18 13:28 . 2006-04-20 06:59 307,200 --a------ C:\wwwnt34i.dll
2008-04-18 13:28 . 2007-01-24 13:03 229,445 --a------ C:\wwads44i.dll
2008-04-18 13:28 . 2000-12-14 12:41 57,344 --a------ C:\adssecurity.dll
2008-04-18 13:25 . 2008-04-18 13:19 1,799,434 --a------ C:\Mitch.exe
2008-04-18 10:20 . 2008-04-30 11:15 45 --a------ C:\WINDOWS\wwwbatch.ini
2008-04-18 10:17 . 2008-04-18 10:17 <DIR> d-------- C:\Documents and Settings\LEIU1I\Application Data\WinBatch
2008-04-16 09:40 . 2008-04-16 09:40 <DIR> d-------- C:\Program Files\QuickTime
2008-04-16 09:35 . 2008-04-16 09:35 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-16 09:35 . 2008-04-16 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-03 14:42 . 2008-04-03 14:42 <DIR> d-------- C:\WINDOWS\system32\Inetsrv6
2008-04-03 14:42 . 2004-08-04 01:56 133,632 --a------ C:\WINDOWS\system32\iisrtl.dll
2008-04-03 14:42 . 2004-08-04 01:56 133,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrtl.dll
2008-04-03 14:42 . 2004-08-04 01:56 13,312 --a------ C:\WINDOWS\system32\infoadmn.dll
2008-04-03 14:42 . 2004-08-04 01:56 13,312 --a--c--- C:\WINDOWS\system32\dllcache\infoadmn.dll
2008-04-03 14:42 . 2001-08-23 08:00 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2008-04-03 14:42 . 2001-08-23 08:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2008-04-03 14:42 . 2001-08-23 08:00 5,632 --a------ C:\WINDOWS\system32\iisrstap.dll
2008-04-03 14:42 . 2001-08-23 08:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrstap.dll
2008-04-03 14:41 . 2008-04-23 08:44 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-02 09:02 . 2008-04-02 09:02 <DIR> d-------- C:\Program Files\AdventNet
2008-04-01 15:34 . 2008-04-01 15:34 0 --a------ C:\WINDOWS\WB.ini
2008-04-01 08:27 . 2008-04-01 08:28 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-04-01 08:27 . 2002-01-05 07:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-04-01 08:27 . 2002-01-05 07:38 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2008-04-01 08:27 . 2000-10-20 01:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-01 08:25 . 2008-04-01 08:27 <DIR> d-------- C:\Program Files\Stardock
2008-04-01 08:25 . 2007-07-11 14:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-04-01 08:24 . 2008-04-01 08:24 <DIR> d-------- C:\Program Files\Object Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Credant
2008-04-28 17:16 8,972 ----a-w C:\WINDOWS\CEFE7fa.SchedLgU.Txt.TMP
2008-04-28 17:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 17:01 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-25 13:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-24 17:24 --------- d-----w C:\Program Files\EMC eLearning
2008-04-21 14:37 --------- d-----w C:\Program Files\Hyena
2008-04-16 13:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-27 17:19 --------- d-----w C:\Program Files\VisualCron 4
2008-03-21 12:58 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-21 12:58 --------- d-----w C:\Program Files\Ahead
2008-03-20 16:10 --------- d-----w C:\Program Files\AMB Software
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 13:55 --------- d-----w C:\Program Files\iET
2008-03-07 14:04 229,376 ----a-r C:\WINDOWS\system32\SZBase5.dll
2008-03-06 21:00 --------- d-----w C:\Documents and Settings\LEIU1I\Application Data\SystemTools
2008-03-06 19:47 --------- d-----w C:\Program Files\Microsoft Image Composer
2008-03-06 13:11 --------- d-----w C:\Documents and Settings\LEIU1I\Application Data\BitTorrent
2008-03-05 21:14 --------- d-----w C:\Program Files\CMAK
2008-03-03 18:16 33,920 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2008-02-28 15:11 155,136 ----a-w C:\WINDOWS\system32\imapihp.exe
2008-02-22 18:52 126,976 ----a-r C:\WINDOWS\system32\IS3HTUI5.dll
2008-02-22 18:51 372,736 ----a-r C:\WINDOWS\system32\IS3UI5.dll
2008-02-22 18:51 364,544 ----a-r C:\WINDOWS\system32\IS3DBA5.dll
2008-02-22 18:50 61,440 ----a-r C:\WINDOWS\system32\IS3Hks5.dll
2008-02-22 18:50 23,040 ----a-r C:\WINDOWS\system32\IS3XDat5.dll
2008-02-22 18:50 192,512 ----a-r C:\WINDOWS\system32\IS3Win325.dll
2008-02-22 18:49 94,208 ----a-r C:\WINDOWS\system32\IS3Inet5.dll
2008-02-22 18:49 90,112 ----a-r C:\WINDOWS\system32\IS3Svc5.dll
2008-02-22 18:45 708,608 ----a-r C:\WINDOWS\system32\IS3Base5.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 20:34 60,808 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7019C3D-3408-4EC0-A717-66FFE876718D}]
C:\WINDOWS\system32\byXrpqRI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"="C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe" [2007-04-25 16:41 356352]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 22:36 872448]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 10:47 159744]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007-01-09 16:52 145184]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-12-20 12:54 137752]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [2005-04-11 11:08 1011775]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-12-20 12:54 141848]
"IFXSPMGT"="C:\WINDOWS\system32\ifxspmgt.exe" [2007-07-24 09:21 677144]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-12-20 12:54 166424]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 19:12 17920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-02 13:41 115560]
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [2007-05-01 16:52 404248]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 14:58 184320]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-02-19 16:29:48 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DontDisplaylLastUsername"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll 2007-04-25 16:41 253952 C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
DeviceNP.dll 2007-06-08 10:04 49152 C:\WINDOWS\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 2008-04-22 08:14 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-01-08 14:01 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll,wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2113169553-152591045-318601546-117381\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2113169553-152591045-318601546-8155\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Gossip Corporate Client"="C:\Program Files\Gossip Corporate Client\gcmcli.exe"
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"WatchDog"=C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mstsc.exe"=
"C:\\WINDOWS\\cluster\\cluadmin.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 CmgShieldCEF;CmgShieldCEF;C:\WINDOWS\system32\DRIVERS\CMGShCEF.sys [2007-04-25 16:32]
R0 CMGShieldReg;CMGShieldReg;C:\WINDOWS\system32\DRIVERS\CmgShREG.sys [2007-04-25 16:40]
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-08-14 18:59]
R0 SbAlg;SbAlg;C:\WINDOWS\system32\drivers\SbAlg.sys [2006-10-09 14:31]
R0 SbFsLock;SbFsLock;C:\WINDOWS\system32\drivers\SbFsLock.sys [2007-06-14 17:22]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2007-07-24 09:21]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-08-14 18:59]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
R2 atchksrv;Intel® Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-05-01 16:52]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 02:50]
R2 CMGShield;CMGShield;C:\WINDOWS\system32\CmgShieldSvc.exe [2007-04-25 16:38]
R2 HpFkCryptService;Drive Encryption Service;"C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe" [2007-09-06 14:26]
R2 LMS;Intel® Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-05-01 16:52]
R2 ShelLoad;ShelLoad;c:\Windows\System32\SHELLOAD.EXE [2007-12-11 13:02]
R2 UNS;Intel® Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-05-01 16:52]
R2 WGX;Extend WG Protocol Driver;C:\WINDOWS\system32\Drivers\WGX.SYS [2007-10-02 13:41]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-01-09 21:37]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-07-24 09:21]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-01-09 21:37]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2005-04-11 09:17]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 02:50]
R3 rismc32;RICOH Smart Card Reader;C:\WINDOWS\system32\DRIVERS\rismc32.sys [2006-12-20 01:08]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-10-02 13:40]
S3 DAMDrv;DAMDrv;C:\WINDOWS\system32\DRIVERS\DAMDrv.sys [2007-06-08 09:49]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\WINDOWS\system32\flcdlock.exe [2007-06-08 10:06]
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 11:46]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-01-09 21:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

.
Contents of the 'Scheduled Tasks' folder
"2008-05-01 04:00:01 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 13:07:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\LEIU1I\LOCALS~1\Temp\CredDB.CEF 64654 bytes
C:\WINDOWS\TEMP\CredDB.CEF 592 bytes
C:\CredDB.CEF 1776 bytes
C:\WINDOWS\CredDB.CEF 1480 bytes
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CredDB.CEF 4736 bytes
C:\WINDOWS\Downloaded Program Files\CredDB.CEF 5624 bytes
C:\Documents and Settings\LEIU1I\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\hpqLog\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\resources.imeem.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\a744.g.akamai.net\6\744\582\000\images.hollywood.com\site\playback.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\assets.invitemedia.com\tags\rev64827\wrapper.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\bin.clearspring.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\crackle.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\ellen.warnerbros.com\swf\telepix_miniplayer.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\flash.quantserve.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\flickr.com\slideShow\slideShow.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\images.amazon.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\interclick.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\l.yimg.com\cosmos.bcst.yahoo.com\ver\256.0\popup-2008-01-23-1334\swf\POP_meta.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\l.yimg.com\cosmos.bcst.yahoo.com\ver\260.0\popup-2008-03-20-0932\swf\POP_meta.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\l.yimg.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\localhost\Program Files\EMC eLearning\Celerra Features and Functions - Self Study\player\playershell.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\localhost\Program Files\EMC eLearning\Celerra Fundamentals - SelfStudy\player\playershell.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\localhost\Program Files\EMC eLearning\Celerra NSX Architectural Overview - Self Study\player\playershell.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\scene7.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\scene7.com\is-viewers352a\flash\genericzoom.swf\#WalMart\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\suitesmart.com\_f5e.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\video.redorbit.com\VideoPlayer\redorbitVideoPlayer.swf\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\www.dailymotion.com\flash\dmplayer\dmplayer.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#Sharecatchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\Apple Computer\QuickTime\downloads\04\05\CredDB.CEF 314 bytes
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\CredDB.CEF 1498 bytes
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\Identities\{2DB46FFE-3EE6-4A33-9276-95D51751E1D7}\Microsoft\Outlook Express\CredDB.CEF 3852 bytes
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\Microsoft\Internet Explorer\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\Microsoft\Media Player\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Local Settings\Application Data\Microsoft\OFFICE\ONetConfig\CredDB.CEF 1224 bytes
dObjects\EA32W33Z\www.hulu.com\playerembed.swf\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\www.nokiausa.com\resfnc\phonegallery.swf\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\www.vw.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\www.vw.com\global\shell\swf\shell.swf\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\www.youtube.com\CredDB.CEF 888 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\#SharedObjects\EA32W33Z\youtube.com\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#a744.g.akamai.net\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#assets.invitemedia.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#ellen.warnerbros.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash.quantserve.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flickr.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#images.amazon.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#l.yimg.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#resources.imeem.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#scene7.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#suitesmart.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.redorbit.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#wp.vizu.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.dailymotion.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.hulu.com\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.nokiausa.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.vw.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youtube.com\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#youtube.com\CredDB.CEF 296 bytes
C:\catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Documents and Settings\LEIU1I\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\CredDB.CEF 298 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Internet Explorer\CredDB.CEF 592 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Internet Explorer\Quick Launch\CredDB.CEF 5032 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Access\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Office\CredDB.CEF 1776 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Office\Recent\CredDB.CEF 19238 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Templates\CCHMC\CredDB.CEF 1184 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft\Templates\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Microsoft Robocopy GUI\Documents\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\CredDB.CEF 5616 bytes
C:\Documents and Settings\LEIU1I\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\CredDB.CEF 45116 bytes
C:\Documents and Settings\LEIU1I\Application Data\Sun\Java\Deployment\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Sun\Java\Deployment\log\CredDB.CEF 296 bytes
C:\Documents and Settings\LEIU1I\Application Data\Sun\Java\Deployment\security\CredDB.CEF 592 bytes
C:\Program Files\Common Files\Adobe\Help\en_US\Adobe Reader\8.0\CredDB.CEF 296 bytes
C:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\Adobe\CredDB.CEF 592 bytes
C:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\Mac\CredDB.CEF 3256 bytes
C:\Program Files\Common Files\Adobe\TypeSpt\Unicode\Mappings\win\CredDB.CEF 2072 bytes
C:\Program Files\Common Files\Microsoft Shared\Snapshot Viewer\CredDB.CEF 296 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070820.048\CredDB.CEF 888 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080426.017\CredDB.CEF 888 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080430.049\CredDB.CEF 888 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\CredDB.CEF 888 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp17c2.tmp\CredDB.CEF 888 bytes
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp2234.tmp\CredDB.CEF 888 bytes

scan completed successfully
hidden files: 89

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szkg5]
"ImagePath"="system32\drivers\szkg.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-01 13:09:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-01 17:09:22

Pre-Run: 60,968,517,632 bytes free
Post-Run: 60,964,315,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

433 --- E O F --- 2008-03-31 11:45:40





Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:33 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\IfxPsdSv.exe
c:\Windows\System32\SHELLOAD.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\mmc.exe
C:\Novell\GroupWise\grpwise.exe
C:\Novell\GroupWise\Notify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D7019C3D-3408-4EC0-A717-66FFE876718D} - C:\WINDOWS\system32\byXrpqRI.dll (file missing)
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - .DEFAULT User Startup: SetDisplay.cmd (User 'Default user')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://CenterLink
O15 - Trusted Zone: http://www11.smed.com
O15 - Trusted Zone: http://www11.smed.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188573183576
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188573178091
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://10.1.32.70/amI/install/msxml4.cab
O16 - DPF: {895E51DC-866E-4090-AC7C-B557FBD29823} (AMI Pictorial Control CWeb 2.1 SPa01) - http://pacsweb/ami/install/amiviewer.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://10.1.32.70/amI/install/amiviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chmccorp.cchmc.org
O17 - HKLM\Software\..\Telephony: DomainName = chmccorp.cchmc.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chmccorp.cchmc.org
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = chmccorp.cchmc.org
O20 - AppInit_DLLs: APSHook.dll,wbsys.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CMGShield - Credant Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: ShelLoad - Symantec Corporation - c:\Windows\System32\SHELLOAD.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 11247 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:50 PM

Posted 02 May 2008 - 08:51 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and a new combofix log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 MBLEIGH

MBLEIGH
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 02 May 2008 - 09:52 AM

Thanks Buckeye Sam. Unfortunately, I was not able to run Dr. Web CureIt. It crashed every time I tried. I even tried rebooting in safe mode to run it and it would not. :thumbsup:

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:50 PM

Posted 02 May 2008 - 10:04 AM

Let's try this then.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 MBLEIGH

MBLEIGH
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 02 May 2008 - 11:20 AM

here's the report

Scanning Report
Friday, May 02, 2008 11:17:59 - 12:19:13
Computer name: P08-7148
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 2 malware found
RiskTool.Win32.HideWindows (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 37358
System: 3903
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SAFEBOOT.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{4E45DAA6-E92F-4A4A-8955-114B1EE75E85}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.64
F-Secure Hydra: 2.8.8110, 2008-05-02
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure AVP: 7.0.171, 2008-05-02
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:50 PM

Posted 03 May 2008 - 07:27 AM

Run Hijackthis again, click scan, and Put a checkmark next to the line listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {D7019C3D-3408-4EC0-A717-66FFE876718D} - C:\WINDOWS\system32\byXrpqRI.dll (file missing)


Reboot and post a new log from DSS.
Give me an update on any current issues that you are having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 MBLEIGH

MBLEIGH
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 06 May 2008 - 07:59 AM

ok, I finally got dss to run. Turns out stopzilla was classifying it as malware and deleting the executable. I stopped it and ran dss after deleting the line you requested I remove via Hijackthis. Here is my log.



Deckard's System Scanner v20071014.68
Run by LEIU1I on 2008-05-06 08:52:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
123: 2008-05-06 12:52:17 UTC - RP161 - Deckard's System Scanner Restore Point
122: 2008-05-01 18:30:57 UTC - RP160 - Installed SUPERAntiSpyware Free Edition
121: 2008-05-01 18:27:31 UTC - RP159 - Installed Java™ 6 Update 6
120: 2008-05-01 18:16:04 UTC - RP158 - Removed J2SE Runtime Environment 5.0 Update 6
119: 2008-05-01 14:52:08 UTC - RP157 - ComboFix created restore point


-- First Restore Point --
1: 2008-04-25 13:27:00 UTC - RP39 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as LEIU1I.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:51 AM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Credant\CMG Shield\CMGShieldSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\IfxPsdSv.exe
c:\Windows\System32\SHELLOAD.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\LEIU1I\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\LEIU1I.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [CMGShieldUI] C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: SetDisplay.cmd (User 'Default user')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://CenterLink
O15 - Trusted Zone: http://www11.smed.com
O15 - Trusted Zone: http://www11.smed.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188573183576
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188573178091
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://10.1.32.70/amI/install/msxml4.cab
O16 - DPF: {895E51DC-866E-4090-AC7C-B557FBD29823} (AMI Pictorial Control CWeb 2.1 SPa01) - http://pacsweb/ami/install/amiviewer.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D98F5BFB-D1E2-428F-B415-64DE948DE12D} (AMI Pictorial Control CWeb 2.0) - http://10.1.32.70/amI/install/amiviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chmccorp.cchmc.org
O17 - HKLM\Software\..\Telephony: DomainName = chmccorp.cchmc.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chmccorp.cchmc.org
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = chmccorp.cchmc.org
O20 - AppInit_DLLs: APSHook.dll,wbsys.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: CMGShieldNP - C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll
O20 - Winlogon Notify: DeviceNP - C:\WINDOWS\SYSTEM32\DeviceNP.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CMG Shield (CMGShield) - Credant Technologies, Inc. - C:\Program Files\Credant\CMG Shield\CMGShieldSvc.exe
O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: ShelLoad - Symantec Corporation - c:\Windows\System32\SHELLOAD.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 11423 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080506-081603-994 O2 - BHO: (no name) - {D7019C3D-3408-4EC0-A717-66FFE876718D} - C:\WINDOWS\system32\byXrpqRI.dll (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.inf - inffile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.txt - txtfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Carbonite\Carbon-ite Icon 53.ico,0


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 CmgShieldCEF - c:\windows\system32\drivers\cmgshcef.sys <Not Verified; Credant Technologies, Inc.; Mobile Guardian Shield>
R0 CMGShieldReg - c:\windows\system32\drivers\cmgshreg.sys <Not Verified; Credant Technologies, Inc.; Mobile Guardian Shield>
R0 SafeBoot - c:\windows\system32\drivers\safeboot.sys
R0 SbAlg - c:\windows\system32\drivers\sbalg.sys <Not Verified; SafeBoot N.V.; SafeBoot Security System>
R0 SysPlant (SysPlant for NT) - c:\windows\system32\drivers\sysplant.sys <Not Verified; Symantec Corporation; Symantec CMC Firewall>
R0 szkg5 - c:\windows\system32\drivers\szkg.sys <Not Verified; iS3 Inc.; Stopzilla>
R1 RsvLock - c:\windows\system32\drivers\rsvlock.sys <Not Verified; SafeBoot International; SafeBoot Security System>
R3 Eacfilt (Eacfilt Miniport) - c:\windows\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys (file missing)
S4 vsdatant - a (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CMGShield (CMG Shield) - c:\program files\credant\cmg shield\cmgshieldsvc.exe <Not Verified; Credant Technologies, Inc.; Mobile Guardian Shield>
R2 HpFkCryptService (Drive Encryption Service) - "c:\program files\hewlett-packard\drive encryption\hpfkcrypt.exe" <Not Verified; SafeBoot International; HP ProtectTools>
R2 ShelLoad - c:\windows\system32\shelload.exe <Not Verified; Symantec Corporation; Symantec Shelload>
R3 odClientService (Odyssey Client) - "c:\program files\funk software\odyssey client\odclientservice.exe" <Not Verified; Funk Software, Inc.; Odyssey>

S2 szserver (STOPzilla Service) - "c:\program files\common files\is3\anti-spyware\szserver.exe" <Not Verified; iS3, Inc.; STOPzilla>
S3 FLCDLOCK (HP ProtectTools Device Locking / Auditing) - c:\windows\system32\flcdlock.exe <Not Verified; Hewlett-Packard Ltd; Device Access Manager>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-02 00:00:00 330 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-04-06 and 2008-05-06 -----------------------------

2008-05-02 11:14:35 0 d-------- C:\fsaua.data
2008-05-02 10:23:25 0 d-------- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
2008-05-02 10:23:17 0 d-------- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2008-05-02 10:20:37 0 d--h----- C:\Documents and Settings\Admin\Templates
2008-05-02 10:20:37 0 dr------- C:\Documents and Settings\Admin\Start Menu
2008-05-02 10:20:37 0 dr-h----- C:\Documents and Settings\Admin\SendTo
2008-05-02 10:20:37 0 d--h----- C:\Documents and Settings\Admin\Recent
2008-05-02 10:20:37 0 d--h----- C:\Documents and Settings\Admin\PrintHood
2008-05-02 10:20:37 786432 --ah----- C:\Documents and Settings\Admin\NTUSER.DAT
2008-05-02 10:20:37 0 d--h----- C:\Documents and Settings\Admin\NetHood
2008-05-02 10:20:37 0 d-------- C:\Documents and Settings\Admin\My Documents
2008-05-02 10:20:37 0 d--h----- C:\Documents and Settings\Admin\Local Settings
2008-05-02 10:20:37 0 d-------- C:\Documents and Settings\Admin\Favorites
2008-05-02 10:20:37 0 d-------- C:\Documents and Settings\Admin\Desktop
2008-05-02 10:20:37 0 d---s---- C:\Documents and Settings\Admin\Cookies
2008-05-02 10:20:37 0 dr-h----- C:\Documents and Settings\Admin\Application Data
2008-05-02 10:20:37 0 d---s---- C:\Documents and Settings\Admin\Application Data\Microsoft
2008-05-02 10:20:37 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities
2008-05-02 10:03:49 0 d-------- C:\Documents and Settings\LEIU1I\DoctorWeb
2008-05-01 14:31:25 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-01 14:31:00 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-01 14:31:00 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\SUPERAntiSpyware.com
2008-05-01 14:27:38 0 d-------- C:\Program Files\Common Files\Java
2008-05-01 14:08:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 13:28:12 0 d-------- C:\Program Files\Trend Micro
2008-05-01 10:54:32 0 d-------- C:\cmdcons
2008-05-01 10:51:29 68096 --a------ C:\WINDOWS\zip.exe
2008-05-01 10:51:29 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-01 10:51:29 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-01 10:51:29 98816 --a------ C:\WINDOWS\sed.exe
2008-05-01 10:51:29 80412 --a------ C:\WINDOWS\grep.exe
2008-05-01 10:51:29 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-01 10:51:28 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-01 10:51:28 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-01 10:31:59 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\Malwarebytes
2008-05-01 10:31:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-01 10:31:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-30 10:59:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-30 10:59:55 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 13:03:15 32356 -----n--- C:\WINDOWS\system32\pusbfd1.sys <Not Verified; Phoenix Technologies K.K.; USB FDD DRIVER>
2008-04-28 12:34:21 0 d-------- C:\Program Files\Microsoft Bootvis
2008-04-28 08:38:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-28 08:19:32 0 d-------- C:\VundoFix Backups
2008-04-25 16:14:11 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-25 16:14:01 0 d-------- C:\Program Files\Windows Live
2008-04-25 16:13:46 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-25 13:12:44 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-25 13:12:22 0 d-------- C:\Program Files\STOPzilla!
2008-04-25 13:12:21 0 d-------- C:\Program Files\Common Files\iS3
2008-04-25 13:12:20 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-25 11:42:28 0 d-------- C:\WINDOWS\pss
2008-04-25 10:38:39 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-25 10:36:51 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 10:36:51 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-25 10:13:15 0 d-------- C:\temp
2008-04-25 09:59:09 454656 --a------ C:\putty.exe <Not Verified; Simon Tatham; PuTTY suite>
2008-04-25 09:45:16 0 d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-04-25 09:43:31 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-04-24 14:44:49 0 d-------- C:\Program Files\Flexense
2008-04-24 14:44:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Flexense
2008-04-23 08:44:32 0 d-------- C:\Program Files\HP
2008-04-23 08:24:43 0 d-------- C:\SWSetup
2008-04-23 08:07:31 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\ICAClient
2008-04-22 22:00:12 0 d-------- C:\Program Files\Citrix
2008-04-22 08:16:57 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\Funk Software
2008-04-22 08:14:59 139330 --a------ C:\WINDOWS\system32\odyGina.dll <Not Verified; Funk Software, Inc.; Odyssey>
2008-04-22 08:14:58 106496 --a------ C:\WINDOWS\system32\odyEvent.dll <Not Verified; Funk Software, Inc.; Odyssey>
2008-04-22 08:14:58 532558 --a------ C:\WINDOWS\system32\odGinaLibrary.dll <Not Verified; Funk Software, Inc.; Odyssey>
2008-04-22 08:14:15 0 d-------- C:\Program Files\Funk Software
2008-04-22 08:14:15 0 d-------- C:\Program Files\Common Files\Funk Software
2008-04-18 13:28:20 307200 --a------ C:\wwwnt34i.dll <Not Verified; Wilson WindowWare, Inc.; WIL Windows NT Extender DLL>
2008-04-18 13:28:20 229445 --a------ C:\wwads44i.dll <Not Verified; Wilson WindowWare, Inc.; Wilson WindowWare ADSI Extender>
2008-04-18 13:28:20 1062400 --a------ C:\WBDEM44I.DLL <Not Verified; Wilson WindowWare, Inc.; WIL DLL>
2008-04-18 13:28:20 57344 --a------ C:\adssecurity.dll <Not Verified; ; ADsSecurity Module>
2008-04-18 13:25:19 1799434 --a------ C:\Mitch.exe <Not Verified; ; Mitch>
2008-04-18 10:17:52 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\WinBatch
2008-04-16 09:40:05 0 d-------- C:\Program Files\QuickTime
2008-04-16 09:35:53 0 d-------- C:\Program Files\Apple Software Update
2008-04-16 09:35:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-05-01 14:29:07 0 d-------- C:\Program Files\Java
2008-05-01 14:27:38 0 d-------- C:\Program Files\Common Files
2008-04-28 13:01:17 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 13:01:17 0 d-------- C:\Program Files\Hewlett-Packard
2008-04-24 13:24:28 0 d-------- C:\Program Files\EMC eLearning
2008-04-21 10:37:55 0 d-------- C:\Program Files\Hyena
2008-04-02 09:02:47 0 d-------- C:\Program Files\AdventNet
2008-04-01 08:28:15 0 d-------- C:\Program Files\Common Files\Stardock
2008-04-01 08:27:06 0 d-------- C:\Program Files\Stardock
2008-04-01 08:24:28 0 d-------- C:\Program Files\Object Desktop
2008-03-27 13:19:30 0 d-------- C:\Program Files\VisualCron 4
2008-03-21 08:58:14 0 d-------- C:\Program Files\Ahead
2008-03-21 08:58:12 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-20 12:10:34 0 d-------- C:\Program Files\AMB Software
2008-03-18 09:55:37 0 d-------- C:\Program Files\iET
2008-03-10 07:45:26 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\Adobe
2008-03-07 10:04:34 229376 -ra------ C:\WINDOWS\system32\SZBase5.dll <Not Verified; iS3, Inc.; STOPzilla>
2008-03-06 17:00:10 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\SystemTools
2008-03-06 15:47:57 0 d-------- C:\Program Files\Microsoft Image Composer
2008-03-06 15:47:57 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\Help
2008-03-06 09:11:37 0 d-------- C:\Documents and Settings\LEIU1I\Application Data\BitTorrent
2008-02-28 11:11:02 155136 --a------ C:\WINDOWS\system32\imapihp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-22 14:52:04 126976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:51:56 364544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:51:12 372736 -ra------ C:\WINDOWS\system32\IS3UI5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:50:54 61440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:50:32 23040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:50:12 192512 -ra------ C:\WINDOWS\system32\IS3Win325.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:49:34 94208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:49:18 90112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>
2008-02-22 14:45:46 708608 -ra------ C:\WINDOWS\system32\IS3Base5.dll <Not Verified; iS3, Inc.; iS3 Common Libraries>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CMGShieldUI"="C:\Program Files\Credant\CMG Shield\CMGShieldUI.exe" [04/25/2007 04:41 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 02:29 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [01/05/2007 10:36 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [05/07/2007 10:47 AM]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [01/09/2007 04:52 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [12/20/2007 12:54 PM]
"OdTray.exe"="C:\Program Files\Funk Software\Odyssey Client\OdTray.exe" [04/11/2005 11:08 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 05:50 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [07/27/2004 05:50 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [12/20/2007 12:54 PM]
"IFXSPMGT"="C:\WINDOWS\system32\ifxspmgt.exe" [07/24/2007 09:21 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [12/20/2007 12:54 PM]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [12/22/2003 07:12 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/02/2007 01:41 PM]
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [05/01/2007 04:52 PM]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [03/31/2006 02:58 PM]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [04/07/2008 08:17 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2/19/2008 4:29:48 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DontDisplaylLastUsername"=1 (0x1)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CMGShieldNP]
C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll 04/25/2007 04:41 PM 253952 C:\Program Files\Credant\CMG Shield\CMGShieldNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
DeviceNP.dll 06/08/2007 10:04 AM 49152 C:\WINDOWS\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
odyEvent.dll 04/22/2008 08:14 AM 106496 C:\WINDOWS\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 01/08/2008 02:01 PM 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=APSHook.dll,wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2113169553-152591045-318601546-117381\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2113169553-152591045-318601546-8155\Scripts\Logon\0\0]
"Script"=login.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Gossip Corporate Client"="C:\Program Files\Gossip Corporate Client\gcmcli.exe"
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"WatchDog"=C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance ASBroker ASChannel




-- End of Deckard's System Scanner: finished at 2008-05-06 08:55:25 ------------

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:50 PM

Posted 06 May 2008 - 10:22 AM

Stopzilla huh? I'll have to remember that one.

Your logs look pretty good. How are things working for you now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 MBLEIGH

MBLEIGH
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 07 May 2008 - 03:34 PM

boot up is still a little sluggish.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:50 PM

Posted 07 May 2008 - 04:57 PM

Not surprising. You do have some pigs in your startup that you don't need.
If you are using Stopzilla as your real time protection for spyware, then don't run Superantispyware or Malwarebytes in the background also. Those programs are great to run manually as needed, but to have all three running at the same time is just overkill and it's bogging you down.

Here's a few others that you don't need running either. Fix these with Hijackthis if you want to control that.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe



Reboot and you should notice a difference.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:50 PM

Posted 05 June 2008 - 07:43 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users