Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Problem


  • This topic is locked This topic is locked
23 replies to this topic

#1 IanD11

IanD11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 14 May 2008 - 01:46 AM

Hi,

I havemanaged to pick up some viruses and spyware. I ha downloaded several removers but it keeps coming back.

I believe it is called virtumonde.dll (I may ave others as well)

I have read the intro into posting and here are the logs.

Many thanks in advance for your help on this.

Ian



Deckard's System Scanner v20071014.68
Run by Ian on 2008-05-14 18:32:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
42: 2008-05-14 06:32:32 UTC - RP159 - Deckard's System Scanner Restore Point
41: 2008-05-13 06:54:14 UTC - RP158 - Software Distribution Service 3.0
40: 2008-05-13 05:39:15 UTC - RP157 - System Checkpoint
39: 2008-05-12 04:57:22 UTC - RP156 - Installed SUPERAntiSpyware Free Edition
38: 2008-05-10 04:56:14 UTC - RP155 - Installed Windows Defender


-- First Restore Point --
1: 2008-05-10 00:44:50 UTC - RP118 - Installed Windows XP KB923414.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-14 18:35:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ian\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C35534B-E780-41D7-92AC-57C56731722C} - C:\WINDOWS\system32\xxyyyWop.dll (file missing)
O2 - BHO: (no name) - {4BA319B7-1DD4-4291-B598-EB12D3718F7C} - C:\WINDOWS\system32\awtqnkhe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84FEBFF8-945B-4F9A-B9B8-B68EC5020770} - C:\WINDOWS\system32\tuvUkJAp.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {939662DB-93A0-4672-91F1-79BFCA8DBCF3} - C:\WINDOWS\system32\ddcCtRhI.dll (file missing)
O2 - BHO: (no name) - {A96E51E1-431C-4AF0-92F7-7290107FB833} - C:\WINDOWS\system32\ssqOIBRj.dll
O2 - BHO: QXK Rhythm - {B139642C-0F49-4630-812B-37B559803458} - C:\WINDOWS\fvowketqftn.dll (file missing)
O2 - BHO: (no name) - {FF63FA08-CF03-438E-BEA3-D1C1E0E7C848} - C:\WINDOWS\system32\geBTjigD.dll (file missing)
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ian\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA169] command /c del "C:\WINDOWS\system32\awtqnkhe.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5163] cmd /c del "C:\WINDOWS\system32\awtqnkhe.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{2D240CC0-B19F-4095-A7CB-24A6731C5338}: NameServer = 203.98.90.25 203.98.90.27
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvUkJAp - C:\WINDOWS\system32\tuvUkJAp.dll
O21 - SSODL: mpfanvqg - {E7CD566A-7DDE-4207-9C24-E2D6333A02C6} - C:\WINDOWS\mpfanvqg.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe


--
End of file - 10793 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ylzahexq - c:\windows\system32\drivers\gdgpfo.sys

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 SWUMX20 (Sierra Wireless USB MUX Driver (UMTS20)) - c:\windows\system32\drivers\swumx20.sys (file missing)
S3 urvpndrv (F5 Networks VPN Adapter) - c:\windows\system32\drivers\urvpndrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PullService (Pull Service) - "c:\program files\esi\webeoc 7\eoc professional\pullservice\pullservice.exe" <Not Verified; ; PullService>

S2 LightScribeService Direct (LightScribeService) - c:\windows\system\winspools.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_08BC103C&REV_00\4&39A85202&0&33F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_08BC103C&REV_00\4&39A85202&0&33F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 16:58:24 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-23 14:16:40 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-04-14 and 2008-05-14 -----------------------------

2008-05-14 18:02:12 90304 --a------ C:\WINDOWS\system32\juyjnofe.dll
2008-05-14 18:00:12 210540 --ahs---- C:\WINDOWS\system32\jRBIOqss.ini2
2008-05-14 17:59:47 4864 --a------ C:\WINDOWS\system32\drivers\gdgpfo.sys
2008-05-14 17:59:46 318080 --a------ C:\WINDOWS\system32\ssqOIBRj.dll
2008-05-14 17:59:46 94856 --a------ C:\WINDOWS\system32\gdgpfo.dll
2008-05-14 11:36:44 209284 --ahs---- C:\WINDOWS\system32\ehknqtwa.ini2
2008-05-14 00:14:39 302594 --ahs---- C:\WINDOWS\system32\poWyyyxx.ini2
2008-05-13 10:13:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:50:29 2522 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 19:49:54 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-12 19:49:54 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-12 19:49:54 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-12 19:49:54 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-12 19:49:53 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-12 19:49:53 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-12 19:49:53 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-12 19:49:53 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 19:49:44 0 d-------- C:\SmitfraudFix
2008-05-12 18:51:46 201217 --ahs---- C:\WINDOWS\system32\DgijTBeg.ini2
2008-05-12 17:42:48 1390255 --a------ C:\SmitfraudFix.exe
2008-05-12 17:02:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 16:57:24 0 d-------- C:\Documents and Settings\ian\Application Data\SUPERAntiSpyware.com
2008-05-12 16:51:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 16:56:22 0 d-------- C:\Program Files\Windows Defender
2008-05-10 16:47:45 0 d-------- C:\Program Files\Antivirus 2008
2008-05-10 16:25:11 0 d-------- C:\Documents and Settings\ian\Application Data\TmpRecentIcons
2008-05-10 13:42:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-10 12:44:39 8767 --ahs---- C:\WINDOWS\system32\IhRtCcdd.ini2
2008-05-10 12:39:44 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-10 12:39:26 29824 --a------ C:\WINDOWS\system32\tuvUkJAp.dll
2008-05-09 20:07:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-05-09 17:55:30 0 d-------- C:\Documents and Settings\ian\Application Data\Sierra Wireless
2008-05-09 17:54:59 0 d-------- C:\Program Files\Telstra
2008-05-09 17:54:59 0 d-------- C:\Program Files\Sierra Wireless Inc
2008-05-09 16:48:07 0 d-------- C:\Program Files\Windows Mobile Resources
2008-05-07 21:31:32 0 d-------- C:\WINDOWS\Sun
2008-05-07 21:31:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-05-07 21:29:56 0 d-------- C:\Program Files\Java
2008-05-07 21:09:39 0 d-------- C:\Program Files\Common Files\Java
2008-05-06 07:29:17 0 d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2008-05-06 07:28:14 0 d-------- C:\WINDOWS\RS9_KB934458_ENU
2008-05-05 15:30:37 0 d-------- C:\Program Files\Microsoft ASP.NET
2008-05-05 15:22:57 0 d-------- C:\WINDOWS\system32\msmq
2008-05-05 15:14:44 0 d-------- C:\Program Files\ESi
2008-05-05 15:11:27 0 d-------- C:\Program Files\Common Files\ESi
2008-05-05 14:48:53 0 d-------- C:\Program Files\Microsoft Analysis Services
2008-05-05 09:12:10 0 d-------- C:\Emergeo
2008-04-28 20:02:31 0 d-------- C:\Program Files\iBurst Terminal
2008-04-27 10:41:47 51180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 10:39:20 0 d-------- C:\Program Files\mIRC
2008-04-27 10:39:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-23 15:52:24 0 d-------- C:\Documents and Settings\ian\Application Data\AdobeUM
2008-04-23 14:33:01 0 d-------- C:\Program Files\Common Files\L&H
2008-04-23 14:32:03 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-23 14:29:40 0 d-------- C:\Program Files\Microsoft Works
2008-04-23 14:28:27 0 d-------- C:\WINDOWS\SHELLNEW
2008-04-23 14:22:58 0 d-------- C:\Documents and Settings\digital\Application Data\Identities
2008-04-23 14:22:43 0 d--h----- C:\Documents and Settings\digital\Templates
2008-04-23 14:22:43 0 dr------- C:\Documents and Settings\digital\Start Menu
2008-04-23 14:22:43 0 dr-h----- C:\Documents and Settings\digital\SendTo
2008-04-23 14:22:43 0 dr-h----- C:\Documents and Settings\digital\Recent
2008-04-23 14:22:43 0 d--h----- C:\Documents and Settings\digital\PrintHood
2008-04-23 14:22:43 786432 --ah----- C:\Documents and Settings\digital\NTUSER.DAT
2008-04-23 14:22:43 0 d--h----- C:\Documents and Settings\digital\NetHood
2008-04-23 14:22:43 0 dr------- C:\Documents and Settings\digital\My Documents
2008-04-23 14:22:43 0 d--h----- C:\Documents and Settings\digital\Local Settings
2008-04-23 14:22:43 0 dr------- C:\Documents and Settings\digital\Favorites
2008-04-23 14:22:43 0 d-------- C:\Documents and Settings\digital\Desktop
2008-04-23 14:22:43 0 d--hs---- C:\Documents and Settings\digital\Cookies
2008-04-23 14:22:43 0 dr-h----- C:\Documents and Settings\digital\Application Data
2008-04-23 14:22:43 0 d---s---- C:\Documents and Settings\digital\Application Data\Microsoft
2008-04-23 11:43:48 0 d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 11:40:36 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-23 11:38:00 0 d-------- C:\Program Files\Symantec
2008-04-23 11:37:35 0 d-------- C:\Program Files\Symantec Client Security
2008-04-23 11:37:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:37:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:36:39 0 d-------- C:\TEMP
2008-04-22 20:35:56 0 d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-22 20:33:17 0 d-------- C:\Documents and Settings\ian\Contacts
2008-04-22 20:12:05 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 20:11:57 0 d-------- C:\Program Files\Windows Live
2008-04-22 20:11:44 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 20:01:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-22 20:00:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-22 19:44:08 53248 --a------ C:\WINDOWS\iwlandrvxpver.dll <Not Verified; hp; hp iwlandrvxpver>
2008-04-22 19:43:49 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-22 19:43:36 0 d-------- C:\SWSetup
2008-04-22 12:20:14 0 d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-22 12:19:46 0 d-------- C:\WINDOWS\system32\Cache
2008-04-22 12:18:23 0 d-------- C:\Inetpub
2008-04-22 08:53:28 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 08:52:06 0 d-------- C:\Program Files\timesheet
2008-04-22 08:51:52 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-04-22 08:51:42 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-22 08:48:59 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 08:48:59 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 07:35:07 0 d-------- C:\I386
2008-04-21 20:06:46 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-21 20:06:43 0 dr------- C:\Program Files
2008-04-21 20:06:43 0 d-------- C:\Program Files\Common Files
2008-04-21 20:06:43 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-21 20:06:21 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-21 20:06:21 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-21 20:06:21 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-21 20:06:21 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-21 20:06:21 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-21 20:06:21 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-21 20:06:21 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-21 20:06:21 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-21 20:06:21 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-21 20:06:21 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-21 20:06:21 0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-04-21 20:06:21 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-21 20:06:21 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-21 20:06:21 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-21 20:06:21 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-21 20:06:21 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-21 20:06:09 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-21 20:06:09 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-21 20:06:04 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-21 20:06:04 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-21 20:06:04 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-21 20:06:04 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-21 20:05:45 0 d-------- C:\Documents and Settings
2008-04-21 20:01:31 0 d-------- C:\WINDOWS
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\WinSxS
2008-04-21 20:01:31 0 dr------- C:\WINDOWS\Web
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\twain_32
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\wins
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\wbem
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\usmt
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\spool
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\Setup
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\ras
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\oobe
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\npp
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\mui
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\IME
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\ias
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\export
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\drivers
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-21 20:01:31 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\config
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\3076
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\2052
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1054
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1042
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1041
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1037
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1033
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1031
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1028
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system32\1025
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\system
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\security
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Resources
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\repair
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\mui
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\msapps
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\msagent
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Media
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\java
2008-04-21 20:01:31 0 d--h----- C:\WINDOWS\inf
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\ime
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Help
2008-04-21 20:01:31 0 dr--s---- C:\WINDOWS\Fonts
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Driver Cache
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Debug
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Cursors
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\Config
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\AppPatch
2008-04-21 20:01:31 0 d-------- C:\WINDOWS\addins
2008-04-21 15:59:23 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-04-21 15:59:23 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-04-21 15:59:22 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-04-21 15:59:22 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-04-21 15:59:22 0 d-------- C:\Program Files\Analog Devices
2008-04-21 15:18:40 0 d-------- C:\Program Files\MSXML 6.0
2008-04-21 14:54:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-21 14:53:09 0 d-------- C:\Documents and Settings\ian\Application Data\Adobe
2008-04-21 14:50:28 0 d-------- C:\Documents and Settings\ian\Application Data\Macromedia
2008-04-21 14:50:14 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-21 14:29:01 0 d-------- C:\Tools
2008-04-21 14:27:54 0 d-------- C:\Data
2008-04-21 14:27:33 0 d-------- C:\Projects
2008-04-21 14:03:27 0 d-------- C:\Program Files\Microsoft SQL Server
2008-04-21 14:02:44 0 d-------- C:\Program Files\Microsoft Device Emulator
2008-04-21 14:02:33 0 d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-04-21 13:55:22 0 d-------- C:\Program Files\MSBuild
2008-04-21 13:47:01 0 d-------- C:\WINDOWS\Symbols
2008-04-21 13:47:01 0 d-------- C:\Program Files\HTML Help Workshop
2008-04-21 13:47:01 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-04-21 13:47:01 0 d-------- C:\Program Files\Common Files\Business Objects
2008-04-21 13:47:01 0 d-------- C:\Program Files\CE Remote Tools
2008-04-21 13:47:01 0 d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-04-21 13:45:13 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-21 13:45:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-21 13:18:06 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-04-21 13:17:25 0 d-------- C:\WINDOWS\Prefetch
2008-04-21 12:33:51 0 d-------- C:\WINDOWS\provisioning
2008-04-21 12:33:51 0 d-------- C:\WINDOWS\peernet
2008-04-21 12:31:40 0 d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 12:26:54 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-21 12:24:28 0 d-------- C:\WINDOWS\EHome
2008-04-21 12:01:17 0 d-------- C:\Documents and Settings\jeremyh\Application Data\Identities
2008-04-21 12:01:04 0 d--h----- C:\Documents and Settings\jeremyh\Templates
2008-04-21 12:01:04 0 dr------- C:\Documents and Settings\jeremyh\Start Menu
2008-04-21 12:01:04 0 dr-h----- C:\Documents and Settings\jeremyh\SendTo
2008-04-21 12:01:04 0 dr-h----- C:\Documents and Settings\jeremyh\Recent
2008-04-21 12:01:04 0 d--h----- C:\Documents and Settings\jeremyh\PrintHood
2008-04-21 12:01:04 524288 --ah----- C:\Documents and Settings\jeremyh\NTUSER.DAT
2008-04-21 12:01:04 0 d--h----- C:\Documents and Settings\jeremyh\NetHood
2008-04-21 12:01:04 0 dr------- C:\Documents and Settings\jeremyh\My Documents
2008-04-21 12:01:04 0 d--h----- C:\Documents and Settings\jeremyh\Local Settings
2008-04-21 12:01:04 0 dr------- C:\Documents and Settings\jeremyh\Favorites
2008-04-21 12:01:04 0 d-------- C:\Documents and Settings\jeremyh\Desktop
2008-04-21 12:01:04 0 d---s---- C:\Documents and Settings\jeremyh\Cookies
2008-04-21 12:01:04 0 dr-h----- C:\Documents and Settings\jeremyh\Application Data
2008-04-21 12:01:04 0 d---s---- C:\Documents and Settings\jeremyh\Application Data\Microsoft
2008-04-21 11:53:04 0 d-------- C:\Program Files\Microsoft.NET
2008-04-21 11:46:03 0 d--hs---- C:\Documents and Settings\ian\UserData
2008-04-21 09:50:36 13312 --a------ C:\WINDOWS\system32\ntvdmd.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-21 09:47:50 0 d-------- C:\WINDOWS\Options
2008-04-21 09:42:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-21 09:42:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-21 09:39:13 0 d-------- C:\WINDOWS\system32\bits
2008-04-21 09:38:26 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-21 09:38:22 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-21 09:36:56 0 d-------- C:\Documents and Settings\ian\Application Data\InstallShield
2008-04-21 09:13:22 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-21 09:09:18 0 d-------- C:\Documents and Settings\ian\Application Data\Identities
2008-04-21 09:09:09 0 d--h----- C:\Documents and Settings\ian\Templates
2008-04-21 09:09:09 0 dr------- C:\Documents and Settings\ian\Start Menu
2008-04-21 09:09:09 0 dr-h----- C:\Documents and Settings\ian\SendTo
2008-04-21 09:09:09 0 dr-h----- C:\Documents and Settings\ian\Recent
2008-04-21 09:09:09 0 d--h----- C:\Documents and Settings\ian\PrintHood
2008-04-21 09:09:09 2621440 --ah----- C:\Documents and Settings\ian\NTUSER.DAT
2008-04-21 09:09:09 0 d--h----- C:\Documents and Settings\ian\NetHood
2008-04-21 09:09:09 0 dr------- C:\Documents and Settings\ian\My Documents
2008-04-21 09:09:09 0 d--h----- C:\Documents and Settings\ian\Local Settings
2008-04-21 09:09:09 0 dr------- C:\Documents and Settings\ian\Favorites
2008-04-21 09:09:09 0 d-------- C:\Documents and Settings\ian\Desktop
2008-04-21 09:09:09 0 d--hs---- C:\Documents and Settings\ian\Cookies
2008-04-21 09:09:09 0 dr-h----- C:\Documents and Settings\ian\Application Data
2008-04-21 09:07:23 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-21 09:07:23 0 d-------- C:\WINDOWS\SchCache
2008-04-21 09:04:30 0 d-------- C:\Program Files\Broadcom
2008-04-21 09:04:22 0 d-------- C:\WINDOWS\Downloaded Installations
2008-04-21 08:52:48 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-21 08:40:12 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-21 08:39:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-21 08:39:45 0 d-------- C:\Program Files\HPQ
2008-04-21 08:39:43 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-21 08:39:33 0 d-------- C:\SYSTEM.SAV
2008-04-21 08:38:00 0 d--hs---- C:\WINDOWS\Installer
2008-04-21 08:37:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-21 08:37:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-21 08:37:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-21 08:37:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-21 08:37:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-21 08:37:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-21 08:37:46 1572864 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-21 08:37:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-21 08:37:46 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-21 08:37:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-21 08:37:46 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-21 08:37:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-21 08:37:46 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-04-21 08:37:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-21 08:37:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-21 08:37:41 0 d--hs---- C:\WINDOWS\CSC
2008-04-21 08:34:33 0 d--hs---- C:\System Volume Information
2008-04-21 08:34:30 229376 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-21 08:34:30 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-21 08:34:30 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-21 08:34:30 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-21 08:34:30 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-21 08:34:29 229376 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-21 08:34:29 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-21 08:34:29 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-21 08:34:29 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-21 08:34:29 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-21 08:31:15 0 d-------- C:\WINDOWS\system32\xircom
2008-04-21 08:31:14 0 d-------- C:\Program Files\microsoft frontpage
2008-04-21 08:31:01 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-21 08:30:54 0 -rahs---- C:\MSDOS.SYS
2008-04-21 08:30:54 0 -rahs---- C:\IO.SYS
2008-04-21 08:30:54 0 --a------ C:\CONFIG.SYS
2008-04-21 08:30:54 0 --a------ C:\AUTOEXEC.BAT
2008-04-21 08:29:58 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-21 08:29:48 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-21 08:29:48 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-21 08:29:22 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-21 08:28:48 0 d---s---- C:\WINDOWS\Tasks
2008-04-21 08:28:46 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-21 08:28:42 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-21 08:28:42 0 d-------- C:\WINDOWS\srchasst
2008-04-21 08:28:41 0 d-------- C:\Program Files\Movie Maker
2008-04-21 08:28:37 0 d-------- C:\WINDOWS\system32\Restore
2008-04-21 08:28:37 0 d-------- C:\WINDOWS\PCHealth
2008-04-21 08:28:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-21 08:27:43 0 d-------- C:\WINDOWS\Registration
2008-04-21 08:27:34 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-21 08:27:34 0 d-------- C:\Program Files\Online Services
2008-04-21 08:27:27 0 d-------- C:\Program Files\Messenger
2008-04-21 08:27:23 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-21 08:26:54 0 d-------- C:\Program Files\Windows NT
2008-04-21 08:26:52 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-21 08:26:51 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-05-09 16:50:26 2528 --a------ C:\Documents and Settings\ian\Application Data\$_hpcst$.hpc
2008-04-21 20:06:21 62 --ahs---- C:\Documents and Settings\ian\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]
C:\WINDOWS\system32\xxyyyWop.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]
C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]
10/05/2008 12:39 p.m. 29824 --a------ C:\WINDOWS\system32\tuvUkJAp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]
C:\WINDOWS\system32\ddcCtRhI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A96E51E1-431C-4AF0-92F7-7290107FB833}]
14/05/2008 06:00 p.m. 318080 --a------ C:\WINDOWS\system32\ssqOIBRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]
C:\WINDOWS\fvowketqftn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]
C:\WINDOWS\system32\geBTjigD.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UIUCU"="C:\DOCUME~1\ian\LOCALS~1\Temp\UIUCU.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/10/2004 07:31 a.m.]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/10/2004 07:27 a.m.]
"AGRSMMSG"="AGRSMMSG.exe" [19/04/2005 10:03 a.m. C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/04/2005 03:52 p.m.]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [17/04/2005 12:30 p.m.]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 a.m.]
"AirCardEnabler"="" []
"WatcherHelper"="C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [29/10/2007 12:03 p.m.]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 p.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 a.m.]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 a.m.]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [13/11/2006 01:39 p.m.]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 a.m.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA169"=command /c del "C:\WINDOWS\system32\awtqnkhe.dll_old"
"SpybotDeletingC5163"=cmd /c del "C:\WINDOWS\system32\awtqnkhe.dll_old"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 4:44:06 a.m.]
iBurst_Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [28/04/2008 8:02:32 p.m.]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}"= C:\WINDOWS\system32\tuvUkJAp.dll [10/05/2008 12:39 p.m. 29824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 p.m. 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {E7CD566A-7DDE-4207-9C24-E2D6333A02C6} - C:\WINDOWS\mpfanvqg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 p.m. 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]
tuvUkJAp.dll 10/05/2008 12:39 p.m. 29824 C:\WINDOWS\system32\tuvUkJAp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqOIBRj

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
blzahe blzahe

*Newly Created Service* - BLZAHE
*Newly Created Service* - LIGHTSCRIBESERVICE_DIRECT
*Newly Created Service* - YLZAHEXQ



-- End of Deckard's System Scanner: finished at 2008-05-14 18:37:58 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1015.36 MiB / 381.17 MiB
Pagefile Memory (total/avail): 2445.9 MiB / 1862.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.84 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 13.56 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH PL - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is not configured.
Windows Internal Firewall is enabled.

FirewallDisableNotify is set.

FW: Symantec Client Firewall v8.6.0.80 (Symantec Corporation) Disabled
AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
""=""
"C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"="C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe:*:Enabled:SwiApiMux"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ian\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WS191
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ian
LOGONSERVER=\\KAHUNA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;c:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;c:\Program Files\Microsoft SQL Server\90\DTS\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ian\LOCALS~1\Temp
TMP=C:\DOCUME~1\ian\LOCALS~1\Temp
USERDNSDOMAIN=CA1.CRITCHLOW.CO.NZ
USERDOMAIN=CA1
USERNAME=Ian
USERPROFILE=C:\Documents and Settings\ian
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ian (admin)
jeremyh (new local, admin, net ready)
digital (new local, admin, net ready)
ASPNET
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems AC'97 Modem --> agrsmdel
Broadcom 440x 10/100 Integrated Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Emergeo Smart Client --> MsiExec.exe /I{2A790131-ADE7-48B2-B94C-B9633435A547}
GDR 3054 for SQL Server Reporting Services 2005 ENU (KB934458) --> C:\WINDOWS\RS9_KB934458_ENU\Hotfix.exe /Uninstall
GDR 3054 for SQL Server Tools and Workstation Components 2005 ENU (KB934458) --> C:\WINDOWS\SQLTools9_KB934458_ENU\Hotfix.exe /Uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iBurst Terminal --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{90133000-1F11-4819-B708-9DF0870A9C54}\setup.exe" -l0x9 -removeonly
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft ASP.NET 2.0 AJAX Extensions 1.0 --> MsiExec.exe /X{082BDF7B-4810-4599-BF0D-E3AC44EC8524}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{69880C00-08DD-4385-B752-9C62656F6D1E}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Reporting Services (SQLEXPRESS) --> MsiExec.exe /I{0DAA9912-3FE2-4B84-B926-8D7F71A8A99A}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{A30965BD-2D4D-45CE-8F04-6A6889818CF1}
Microsoft SQL Server Management Objects Collection --> MsiExec.exe /I{884E055A-DE1F-4507-942E-957A0A67FF33}
Microsoft SQL Server Management Studio Express --> MsiExec.exe /I{20608BFA-6068-48FE-A410-400F2A124C27}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec Client Security --> MsiExec.exe /I{E9FA3047-0B15-4E19-85CE-EE7FC6E60F99}
Telstra Turbo Connection Manager --> MsiExec.exe /I{0D4D333F-9321-4FC5-BB65-AD0DE414AD70}
timesheet --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\timesheet\ST6UNST.LOG"
Visual FoxPro ODBC Driver --> MsiExec.exe /X{31821EFE-1B31-4744-9FB0-208F92BD7168}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Mobile Resources --> C:\Program Files\Windows Mobile Resources\Windows Mobile Device Handbook\Bin\DHUninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4262 / Error
Event Submitted/Written: 05/14/2008 04:55:26 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type4223 / Error
Event Submitted/Written: 05/14/2008 04:54:28 PM / 05/14/2008 04:54:29 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type4221 / Error
Event Submitted/Written: 05/14/2008 04:54:24 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type4210 / Warning
Event Submitted/Written: 05/14/2008 04:52:15 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type4190 / Success
Event Submitted/Written: 05/14/2008 11:13:59 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4697 / Warning
Event Submitted/Written: 05/14/2008 06:00:41 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%CA127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %CA127 can't undo changes that you allow.

For more information please see the following:
%CA1275

Scan ID: {BF7CA770-25B9-49DE-BCE4-1FE192853086}

User: CA1\Ian

Name: %CA1271

ID: %CA1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %CA1276

Alert Type: %CA1278

Detection Type: 1.1.1593.02

Event Record #/Type4696 / Error
Event Submitted/Written: 05/14/2008 06:00:16 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The LightScribeService service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type4695 / Warning
Event Submitted/Written: 05/14/2008 06:00:14 PM / 05/14/2008 06:00:15 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%CA127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %CA127 can't undo changes that you allow.

For more information please see the following:
%CA1275

Scan ID: {13888A67-81B2-4E07-8FED-BDF21EF95E37}

User: CA1\Ian

Name: %CA1271

ID: %CA1272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %CA1276

Alert Type: %CA1278

Detection Type: 1.1.1593.02

Event Record #/Type4678 / Error
Event Submitted/Written: 05/14/2008 05:53:07 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Event Record #/Type4677 / Warning
Event Submitted/Written: 05/14/2008 05:53:07 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 30 minutes.



-- End of Deckard's System Scanner: finished at 2008-05-14 18:37:58 ------------

BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 14 May 2008 - 11:56 AM

Hello IanD11,

I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 14 May 2008 - 05:47 PM

Hi Chryssi2001


Here are the logs.

Thanks for your help! Really appreciate it!

ComboFix 08-05-12.1 - Ian 2008-05-15 10:22:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT 12:00]
Running from: C:\Documents and Settings\ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ian\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\DgijTBeg.ini
C:\WINDOWS\system32\DgijTBeg.ini2
C:\WINDOWS\system32\efonjyuj.ini
C:\WINDOWS\system32\ehknqtwa.ini
C:\WINDOWS\system32\ehknqtwa.ini2
C:\WINDOWS\system32\hfuyhlol.ini
C:\WINDOWS\system32\IhRtCcdd.ini
C:\WINDOWS\system32\IhRtCcdd.ini2
C:\WINDOWS\system32\jRBIOqss.ini
C:\WINDOWS\system32\jRBIOqss.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\poWyyyxx.ini
C:\WINDOWS\system32\poWyyyxx.ini2
C:\WINDOWS\system32\tdgdgyck.ini
C:\WINDOWS\system32\xrclfleb.ini

----- BITS: Possible infected sites -----

hxxp://camgmt01
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 18:32 . 2008-05-14 18:32 <DIR> d-------- C:\Deckard
2008-05-14 18:19 . 2008-05-15 10:14 1,289 --a------ C:\WINDOWS\system32\gdgpfo.Key
2008-05-14 18:02 . 2008-05-14 18:02 90,304 --a------ C:\WINDOWS\system32\juyjnofe.dll
2008-05-14 17:59 . 2008-05-14 18:00 318,080 --a------ C:\WINDOWS\system32\ssqOIBRj.dll
2008-05-14 17:59 . 2008-05-14 17:59 94,856 --a------ C:\WINDOWS\system32\gdgpfo.dll
2008-05-14 17:59 . 2008-05-14 17:59 4,864 --a------ C:\WINDOWS\system32\drivers\gdgpfo.sys
2008-05-14 17:59 . 2008-05-14 17:59 1 --a------ C:\WINDOWS\system32\00048fa6.inf
2008-05-13 12:02 . 2008-05-14 07:36 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 10:57 . 2008-05-14 17:35 383 --a------ C:\WINDOWS\wininit.ini
2008-05-13 10:13 . 2008-05-13 10:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 10:13 . 2008-05-13 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:50 . 2008-05-12 20:00 2,522 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 19:49 . 2008-05-12 20:04 <DIR> d-------- C:\SmitfraudFix
2008-05-12 19:49 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 19:49 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 19:49 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-12 19:49 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-12 19:49 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-12 19:49 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-12 19:49 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 19:49 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-12 17:42 . 2008-05-12 17:42 1,390,255 --a------ C:\SmitfraudFix.exe
2008-05-12 17:02 . 2008-05-12 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\ian\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 16:51 . 2008-05-12 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 16:56 . 2008-05-10 16:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-10 16:47 . 2008-05-10 16:47 <DIR> d-------- C:\Program Files\Antivirus 2008
2008-05-10 16:25 . 2008-05-10 16:25 <DIR> d-------- C:\Documents and Settings\ian\Application Data\TmpRecentIcons
2008-05-10 13:42 . 2008-05-10 13:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-05-10 12:39 . 2008-05-10 12:39 29,824 --a------ C:\WINDOWS\system32\tuvUkJAp.dll
2008-05-10 12:39 . 2008-05-10 12:39 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-09 20:07 . 2008-05-09 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-05-09 17:55 . 2008-05-09 17:59 <DIR> d-------- C:\Documents and Settings\ian\Application Data\Sierra Wireless
2008-05-09 17:55 . 2007-11-06 15:59 25,736 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-05-09 17:54 . 2008-05-09 17:54 <DIR> d-------- C:\Program Files\Telstra
2008-05-09 17:54 . 2008-05-09 17:55 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-05-09 16:48 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Windows Mobile Resources
2008-05-07 21:31 . 2008-05-07 21:31 <DIR> d-------- C:\WINDOWS\Sun
2008-05-07 21:30 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 21:29 . 2008-05-07 21:31 <DIR> d-------- C:\Program Files\Java
2008-05-07 21:09 . 2008-05-07 21:09 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 07:29 . 2008-05-06 07:29 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2008-05-06 07:28 . 2008-05-06 07:28 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2008-05-05 15:30 . 2008-05-05 15:30 <DIR> d-------- C:\Program Files\Microsoft ASP.NET
2008-05-05 15:22 . 2008-05-05 15:23 <DIR> d-------- C:\WINDOWS\system32\msmq
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191\ASPNET
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191
2008-05-05 15:16 . 2008-05-15 10:21 1,024 --ah----- C:\Documents and Settings\WS191\ASPNET\ntuser.dat.LOG
2008-05-05 15:14 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\ESi
2008-05-05 15:11 . 2008-05-05 15:28 <DIR> d-------- C:\Program Files\Common Files\ESi
2008-05-05 14:48 . 2008-05-05 14:48 <DIR> d-------- C:\Program Files\Microsoft Analysis Services
2008-05-05 09:12 . 2008-05-05 09:16 <DIR> d-------- C:\Emergeo
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-04-28 20:02 . 2008-04-28 20:02 <DIR> d-------- C:\Program Files\iBurst Terminal
2008-04-28 20:02 . 2006-03-29 03:25 37,362 --a------ C:\WINDOWS\system32\drivers\iBurstu.sys
2008-04-27 10:41 . 2008-04-27 10:41 51,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 10:39 . 2008-04-27 10:42 <DIR> d-------- C:\Program Files\mIRC
2008-04-27 10:39 . 2008-04-27 10:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-23 15:52 . 2008-04-23 15:52 <DIR> d-------- C:\Documents and Settings\ian\Application Data\AdobeUM
2008-04-23 14:33 . 2008-04-23 14:33 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-23 14:32 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-23 14:29 . 2008-04-23 14:29 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-23 14:28 . 2008-04-23 14:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-23 14:22 . 2008-04-23 14:40 <DIR> d-------- C:\Documents and Settings\digital
2008-04-23 14:22 . 2008-05-15 10:21 1,024 --ah----- C:\Documents and Settings\digital\ntuser.dat.LOG
2008-04-23 11:49 . 2008-04-23 11:49 0 --a------ C:\WINDOWS\vpc32.INI
2008-04-23 11:43 . 2008-04-23 11:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 11:40 . 2008-05-15 10:28 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-23 11:39 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 11:39 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 11:38 . 2008-04-23 11:39 <DIR> d-------- C:\Program Files\Symantec
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-04-23 11:37 . 2008-05-15 10:29 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:36 . 2008-04-23 14:15 <DIR> d-------- C:\TEMP
2008-04-22 20:35 . 2008-04-22 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-22 20:33 . 2008-04-22 20:33 <DIR> d-------- C:\Documents and Settings\ian\Contacts
2008-04-22 20:12 . 2008-04-22 20:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 20:11 . 2008-04-22 20:32 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 20:11 . 2008-04-22 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 19:44 . 2006-08-23 11:45 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\SWSetup
2008-04-22 19:43 . 2006-08-23 11:47 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-22 19:43 . 2006-08-23 11:47 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-22 19:43 . 2006-08-23 11:47 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-04-22 12:20 . 2008-04-22 12:20 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-22 12:18 . 2008-04-22 12:20 <DIR> d-------- C:\Inetpub
2008-04-22 10:56 . 2008-05-13 11:47 223 --a------ C:\WINDOWS\hpbafd.ini
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 08:53 . 2006-10-05 02:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-22 08:53 . 2006-10-05 02:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-22 08:53 . 2006-10-05 02:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\timesheet
2008-04-22 08:51 . 2008-04-22 08:51 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-22 08:51 . 2008-04-22 08:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-22 08:48 . 2008-05-05 09:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 08:48 . 2008-04-22 08:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 07:35 . 2008-04-22 07:37 <DIR> d-------- C:\I386
2008-04-22 07:29 . 2007-12-07 14:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 07:29 . 2007-04-17 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 07:29 . 2007-03-08 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 07:29 . 2007-12-07 14:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 07:29 . 2007-12-07 14:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 07:29 . 2007-12-07 14:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:29 . 2007-12-07 14:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 07:29 . 2007-12-07 14:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 07:29 . 2007-12-06 23:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 15:59 . 2008-04-21 15:59 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-21 15:18 . 2008-04-21 15:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-21 15:15 . 2006-08-21 21:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-21 15:15 . 2006-08-21 21:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-21 15:15 . 2006-08-22 00:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-21 15:01 . 2007-07-10 01:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 14:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 14:29 . 2008-04-21 14:37 <DIR> d-------- C:\Tools
2008-04-21 14:27 . 2008-05-05 14:09 <DIR> d-------- C:\Projects
2008-04-21 14:27 . 2008-04-21 14:28 <DIR> d-------- C:\Data
2008-04-21 14:03 . 2008-05-06 07:30 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 12:38 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 03:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 20:39 --------- d-----w C:\Program Files\HPQ
2008-04-20 20:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]
C:\WINDOWS\system32\xxyyyWop.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]
C:\WINDOWS\system32\awtqnkhe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]
2008-05-10 12:39 29824 --a------ C:\WINDOWS\system32\tuvUkJAp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]
C:\WINDOWS\system32\ddcCtRhI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]
C:\WINDOWS\fvowketqftn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]
2008-05-14 18:00 318080 --a------ C:\WINDOWS\system32\ssqOIBRj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]
C:\WINDOWS\system32\geBTjigD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-10-08 07:31 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-10-08 07:27 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 12:30 85184]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AirCardEnabler"="" []
"WatcherHelper"="C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [2007-10-29 12:03 120088]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
iBurst_Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2008-04-28 20:02:32 311296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}"= C:\WINDOWS\system32\tuvUkJAp.dll [2008-05-10 12:39 29824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {E7CD566A-7DDE-4207-9C24-E2D6333A02C6} - C:\WINDOWS\mpfanvqg.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]
tuvUkJAp.dll 2008-05-10 12:39 29824 C:\WINDOWS\system32\tuvUkJAp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"<NO NAME>"=
"C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 blzahe;blzahe;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
R2 PullService;Pull Service;"C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe" [2008-05-05 15:30]
R2 ylzahexq;ylzahexq;C:\WINDOWS\system32\drivers\gdgpfo.sys [2008-05-14 17:59]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 14:15]
R3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2006-03-29 03:25]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-11-06 15:59]
S2 LightScribeService Direct;LightScribeService;C:\WINDOWS\system\WINSPOOLS.EXE [2005-04-24 18:00]
S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-23 21:13]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 SWNC8U55;Sierra Wireless MUX NDIS Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swnc8u55.sys [2007-09-21 15:47]
S3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swumx55.sys [2007-09-21 15:48]
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
blzahe REG_MULTI_SZ blzahe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 22:32:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 02:16:40 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 10:32:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tuvUkJAp.dll
-> c:\windows\system32\gdgpfo.dll

PROCESS: C:\WINDOWS\explorer.exe
-> c:\windows\system32\gdgpfo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
.
**************************************************************************
.
Completion time: 2008-05-15 10:37:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 22:36:57

Pre-Run: 14,456,782,848 bytes free
Post-Run: 14,389,178,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

318 --- E O F --- 2008-05-05 19:34:02








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46, on 2008-05-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [30e61868] rundll32.exe "C:\WINDOWS\system32\uswehmqa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D240CC0-B19F-4095-A7CB-24A6731C5338}: NameServer = 203.98.90.25 203.98.90.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O21 - SSODL: mpfanvqg - {E7CD566A-7DDE-4207-9C24-E2D6333A02C6} - C:\WINDOWS\mpfanvqg.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8292 bytes

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 15 May 2008 - 02:51 PM

Hello IanD11,

Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
Is this Domain your ISP?

ca1.critchlow.co.nz
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe.

Do not run HijackThis yet.
----------------------------------------------
We need all Protection programs disabled before we run COMBOFIX-Script.
I see Windows Defender is disabled. Please keep it like that, and additional disable Spybot's TeaTimer, as we do not want it to interfere with our fix.
Anti-Virus and Firewall should be disabled as well.

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/146789/virtumonde-problem/?p=825108
    
    Collect::
    C:\WINDOWS\system32\gdgpfo.Key
    C:\WINDOWS\system32\juyjnofe.dll
    C:\WINDOWS\system32\ssqOIBRj.dll
    C:\WINDOWS\system32\gdgpfo.dll
    C:\WINDOWS\system32\drivers\gdgpfo.sys
    C:\WINDOWS\system32\00048fa6.inf
    C:\WINDOWS\system32\VACFix.exe
    C:\WINDOWS\system32\404Fix.exe
    C:\SmitfraudFix.exe
    C:\WINDOWS\system32\tuvUkJAp.dll
    C:\WINDOWS\system32\kr_done1de
    C:\WINDOWS\vpc32.INI
    C:\WINDOWS\system32\xxyyyWop.dll
    C:\WINDOWS\system32\awtqnkhe.dll
    C:\WINDOWS\system32\ddcCtRhI.dll
    C:\WINDOWS\fvowketqftn.dll
    C:\WINDOWS\system32\geBTjigD.dll
    C:\WINDOWS\mpfanvqg.dll
    C:\WINDOWS\system32\uswehmqa.dll
    
    Folder::
    C:\SmitfraudFix
    C:\Program Files\Antivirus 2008
    C:\Documents and Settings\ian\Application Data\TmpRecentIcons
    C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
    
    Driver::
    blzahe
    ylzahexq
    
    NetSvc::
    blzahe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AirCardEnabler"=-
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}"=- 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "mpfanvqg"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "<NO NAME>"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "30e61868"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Jotti results.
Combofix report.
A new HijackThis log.

Edited by chryssi2001, 15 May 2008 - 02:54 PM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 15 May 2008 - 05:26 PM

Hi Chryssi2001,

I do know this file. It is an application I use. I scaned the file anyway. Here are the results.

Scan taken on 15 May 2008 21:39:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


----------------------------------------------------------------------------

Yes. I use the domain to connect to the internet. This also looks fine to me.

----------------------------------------------------------------------------

Here is my combofix log

ComboFix 08-05-12.1 - Ian 2008-05-16 9:58:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT 12:00]
Running from: C:\Documents and Settings\ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ian\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
C:\Documents and Settings\ian\Application Data\TmpRecentIcons
C:\Documents and Settings\ian\Application Data\TmpRecentIcons\Emergeo Smart Client.lnk
C:\Documents and Settings\ian\Application Data\TmpRecentIcons\Windows Mobile Resources.lnk
C:\Program Files\Antivirus 2008
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\SmitfraudFix
C:\SmitfraudFix.exe
C:\SmitfraudFix\404Fix.exe
C:\SmitfraudFix\dumphive.exe
C:\SmitfraudFix\exit.exe
C:\SmitfraudFix\GenericRenosFix.exe
C:\SmitfraudFix\HostsChk.exe
C:\SmitfraudFix\IEDFix.exe
C:\SmitfraudFix\Process.exe
C:\SmitfraudFix\Reboot.exe
C:\SmitfraudFix\restart.exe
C:\SmitfraudFix\SmitfraudFix.cmd
C:\SmitfraudFix\SmiUpdate.exe
C:\SmitfraudFix\SrchSTS.exe
C:\SmitfraudFix\swreg.exe
C:\SmitfraudFix\swsc.exe
C:\SmitfraudFix\swxcacls.exe
C:\SmitfraudFix\UIFix.exe
C:\SmitfraudFix\unzip.exe
C:\SmitfraudFix\VACFix.exe
C:\SmitfraudFix\VCCLSID.exe
C:\SmitfraudFix\WS2Fix.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\00048fa6.inf
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\aqmhewsu.ini
C:\WINDOWS\system32\drivers\gdgpfo.sys
C:\WINDOWS\system32\gdgpfo.dll
C:\WINDOWS\system32\gdgpfo.Key
C:\WINDOWS\system32\juyjnofe.dll
C:\WINDOWS\system32\kr_done1de
C:\WINDOWS\system32\ssqOIBRj.dll
C:\WINDOWS\system32\tuvUkJAp.dll
C:\WINDOWS\system32\twDfefii.ini
C:\WINDOWS\system32\twDfefii.ini2
C:\WINDOWS\system32\uswehmqa.dll
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\vpc32.INI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BLZAHE
-------\Legacy_YLZAHEXQ
-------\Service_blzahe
-------\Service_ylzahexq


((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 10:43 . 2008-05-15 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 10:43 . 2008-05-15 10:43 318,848 --a------ C:\WINDOWS\system32\iifefDwt.dll
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 18:32 . 2008-05-14 18:32 <DIR> d-------- C:\Deckard
2008-05-13 12:02 . 2008-05-14 07:36 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 10:57 . 2008-05-14 17:35 383 --a------ C:\WINDOWS\wininit.ini
2008-05-13 10:13 . 2008-05-13 10:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 10:13 . 2008-05-13 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:50 . 2008-05-12 20:00 2,522 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 19:49 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 19:49 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 19:49 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-12 19:49 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-12 19:49 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 19:49 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-12 17:02 . 2008-05-12 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\ian\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 16:51 . 2008-05-12 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 16:56 . 2008-05-10 16:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-09 20:07 . 2008-05-09 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-05-09 17:55 . 2008-05-09 17:59 <DIR> d-------- C:\Documents and Settings\ian\Application Data\Sierra Wireless
2008-05-09 17:55 . 2007-11-06 15:59 25,736 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-05-09 17:54 . 2008-05-09 17:54 <DIR> d-------- C:\Program Files\Telstra
2008-05-09 17:54 . 2008-05-09 17:55 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-05-09 16:48 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Windows Mobile Resources
2008-05-07 21:31 . 2008-05-07 21:31 <DIR> d-------- C:\WINDOWS\Sun
2008-05-07 21:30 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 21:29 . 2008-05-07 21:31 <DIR> d-------- C:\Program Files\Java
2008-05-07 21:09 . 2008-05-07 21:09 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 07:29 . 2008-05-06 07:29 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2008-05-06 07:28 . 2008-05-06 07:28 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2008-05-05 15:30 . 2008-05-05 15:30 <DIR> d-------- C:\Program Files\Microsoft ASP.NET
2008-05-05 15:22 . 2008-05-05 15:23 <DIR> d-------- C:\WINDOWS\system32\msmq
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191\ASPNET
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191
2008-05-05 15:16 . 2008-05-16 09:52 1,024 --ah----- C:\Documents and Settings\WS191\ASPNET\ntuser.dat.LOG
2008-05-05 15:14 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\ESi
2008-05-05 15:11 . 2008-05-05 15:28 <DIR> d-------- C:\Program Files\Common Files\ESi
2008-05-05 14:48 . 2008-05-05 14:48 <DIR> d-------- C:\Program Files\Microsoft Analysis Services
2008-05-05 09:12 . 2008-05-05 09:16 <DIR> d-------- C:\Emergeo
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-04-28 20:02 . 2008-04-28 20:02 <DIR> d-------- C:\Program Files\iBurst Terminal
2008-04-28 20:02 . 2006-03-29 03:25 37,362 --a------ C:\WINDOWS\system32\drivers\iBurstu.sys
2008-04-27 10:41 . 2008-04-27 10:41 51,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 10:39 . 2008-04-27 10:42 <DIR> d-------- C:\Program Files\mIRC
2008-04-27 10:39 . 2008-04-27 10:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-23 15:52 . 2008-04-23 15:52 <DIR> d-------- C:\Documents and Settings\ian\Application Data\AdobeUM
2008-04-23 14:33 . 2008-04-23 14:33 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-23 14:32 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-23 14:29 . 2008-04-23 14:29 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-23 14:28 . 2008-04-23 14:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-23 14:22 . 2008-04-23 14:40 <DIR> d-------- C:\Documents and Settings\digital
2008-04-23 14:22 . 2008-05-16 09:52 1,024 --ah----- C:\Documents and Settings\digital\ntuser.dat.LOG
2008-04-23 11:43 . 2008-04-23 11:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 11:40 . 2008-05-16 10:08 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-23 11:39 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 11:39 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 11:38 . 2008-04-23 11:39 <DIR> d-------- C:\Program Files\Symantec
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-04-23 11:37 . 2008-05-16 10:09 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:36 . 2008-04-23 14:15 <DIR> d-------- C:\TEMP
2008-04-22 20:35 . 2008-04-22 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-22 20:33 . 2008-04-22 20:33 <DIR> d-------- C:\Documents and Settings\ian\Contacts
2008-04-22 20:12 . 2008-04-22 20:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 20:11 . 2008-04-22 20:32 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 20:11 . 2008-04-22 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 19:44 . 2006-08-23 11:45 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\SWSetup
2008-04-22 19:43 . 2006-08-23 11:47 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-22 19:43 . 2006-08-23 11:47 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-22 19:43 . 2006-08-23 11:47 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-04-22 12:20 . 2008-04-22 12:20 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-22 12:18 . 2008-04-22 12:20 <DIR> d-------- C:\Inetpub
2008-04-22 10:56 . 2008-05-13 11:47 223 --a------ C:\WINDOWS\hpbafd.ini
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 08:53 . 2006-10-05 02:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-22 08:53 . 2006-10-05 02:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-22 08:53 . 2006-10-05 02:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\timesheet
2008-04-22 08:51 . 2008-04-22 08:51 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-22 08:51 . 2008-04-22 08:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-22 08:48 . 2008-05-05 09:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 08:48 . 2008-04-22 08:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 07:35 . 2008-04-22 07:37 <DIR> d-------- C:\I386
2008-04-22 07:29 . 2007-12-07 14:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 07:29 . 2007-04-17 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 07:29 . 2007-03-08 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 07:29 . 2007-12-07 14:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 07:29 . 2007-12-07 14:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 07:29 . 2007-12-07 14:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:29 . 2007-12-07 14:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 07:29 . 2007-12-07 14:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 07:29 . 2007-12-06 23:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 15:59 . 2008-04-21 15:59 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-21 15:18 . 2008-04-21 15:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-21 15:15 . 2006-08-21 21:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-21 15:15 . 2006-08-21 21:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-21 15:15 . 2006-08-22 00:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-21 15:01 . 2007-07-10 01:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 14:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 14:29 . 2008-04-21 14:37 <DIR> d-------- C:\Tools
2008-04-21 14:27 . 2008-05-05 14:09 <DIR> d-------- C:\Projects
2008-04-21 14:27 . 2008-04-21 14:28 <DIR> d-------- C:\Data
2008-04-21 14:03 . 2008-05-06 07:30 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-04-21 13:55 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\WINDOWS\Symbols
2008-04-21 13:47 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-04-21 13:47 . 2008-04-21 13:53 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-21 13:47 . 2008-04-21 13:48 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-04-21 13:45 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-21 13:45 . 2008-05-06 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-21 12:33 . 2008-04-21 12:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-21 12:31 . 2008-04-21 12:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 12:31 . 2004-08-04 00:56 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-04-21 12:31 . 2004-08-04 00:56 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 12:38 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 03:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 20:39 --------- d-----w C:\Program Files\HPQ
2008-04-20 20:31 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-05-15_10.36.14.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 22:29:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 22:09:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 22:32:28 236,186 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-15 22:11:48 236,193 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F51DC88-C6D1-4BC3-9449-04C1F2EF6B5D}]
2008-05-15 10:43 318848 --a------ C:\WINDOWS\system32\iifefDwt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AADF6EE0-4C4A-43E8-BEC7-31A310DCD423}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-10-08 07:31 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-10-08 07:27 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 12:30 85184]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WatcherHelper"="C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [2007-10-29 12:03 120088]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
iBurst_Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2008-04-28 20:02:32 311296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"<NO NAME>"=
"C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 PullService;Pull Service;"C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe" [2008-05-05 15:30]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 14:15]
R3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2006-03-29 03:25]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-11-06 15:59]
S2 LightScribeService Direct;LightScribeService;C:\WINDOWS\system\WINSPOOLS.EXE [2005-04-24 18:00]
S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-23 21:13]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 SWNC8U55;Sierra Wireless MUX NDIS Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swnc8u55.sys [2007-09-21 15:47]
S3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swumx55.sys [2007-09-21 15:48]
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
blzahe REG_MULTI_SZ blzahe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 22:13:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 02:16:40 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 10:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-16 10:16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 22:15:57
ComboFix2.txt 2008-05-14 22:37:10

Pre-Run: 14,525,427,712 bytes free
Post-Run: 14,539,411,456 bytes free

322 --- E O F --- 2008-05-05 19:34:02


----------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23, on 2008-05-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [30e61868] rundll32.exe "C:\WINDOWS\system32\ppcbchad.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D240CC0-B19F-4095-A7CB-24A6731C5338}: NameServer = 203.98.90.25 203.98.90.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8044 bytes

#6 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 15 May 2008 - 05:30 PM

Hi,

I know this file. It is an application I use. I scaned the file anyway. Here are the results.

Scan taken on 15 May 2008 21:39:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


----------------------------------------------------------------------------

Yes. I use the domain to connect to the internet. This also looks fine to me.

----------------------------------------------------------------------------

Here is my combofix log

ComboFix 08-05-12.1 - Ian 2008-05-16 9:58:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT 12:00]
Running from: C:\Documents and Settings\ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ian\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
C:\Documents and Settings\ian\Application Data\TmpRecentIcons
C:\Documents and Settings\ian\Application Data\TmpRecentIcons\Emergeo Smart Client.lnk
C:\Documents and Settings\ian\Application Data\TmpRecentIcons\Windows Mobile Resources.lnk
C:\Program Files\Antivirus 2008
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\SmitfraudFix
C:\SmitfraudFix.exe
C:\SmitfraudFix\404Fix.exe
C:\SmitfraudFix\dumphive.exe
C:\SmitfraudFix\exit.exe
C:\SmitfraudFix\GenericRenosFix.exe
C:\SmitfraudFix\HostsChk.exe
C:\SmitfraudFix\IEDFix.exe
C:\SmitfraudFix\Process.exe
C:\SmitfraudFix\Reboot.exe
C:\SmitfraudFix\restart.exe
C:\SmitfraudFix\SmitfraudFix.cmd
C:\SmitfraudFix\SmiUpdate.exe
C:\SmitfraudFix\SrchSTS.exe
C:\SmitfraudFix\swreg.exe
C:\SmitfraudFix\swsc.exe
C:\SmitfraudFix\swxcacls.exe
C:\SmitfraudFix\UIFix.exe
C:\SmitfraudFix\unzip.exe
C:\SmitfraudFix\VACFix.exe
C:\SmitfraudFix\VCCLSID.exe
C:\SmitfraudFix\WS2Fix.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\00048fa6.inf
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\aqmhewsu.ini
C:\WINDOWS\system32\drivers\gdgpfo.sys
C:\WINDOWS\system32\gdgpfo.dll
C:\WINDOWS\system32\gdgpfo.Key
C:\WINDOWS\system32\juyjnofe.dll
C:\WINDOWS\system32\kr_done1de
C:\WINDOWS\system32\ssqOIBRj.dll
C:\WINDOWS\system32\tuvUkJAp.dll
C:\WINDOWS\system32\twDfefii.ini
C:\WINDOWS\system32\twDfefii.ini2
C:\WINDOWS\system32\uswehmqa.dll
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\vpc32.INI

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BLZAHE
-------\Legacy_YLZAHEXQ
-------\Service_blzahe
-------\Service_ylzahexq


((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 10:43 . 2008-05-15 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 10:43 . 2008-05-15 10:43 318,848 --a------ C:\WINDOWS\system32\iifefDwt.dll
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 18:32 . 2008-05-14 18:32 <DIR> d-------- C:\Deckard
2008-05-13 12:02 . 2008-05-14 07:36 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 10:57 . 2008-05-14 17:35 383 --a------ C:\WINDOWS\wininit.ini
2008-05-13 10:13 . 2008-05-13 10:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 10:13 . 2008-05-13 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:50 . 2008-05-12 20:00 2,522 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 19:49 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 19:49 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 19:49 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-12 19:49 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-12 19:49 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 19:49 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-12 17:02 . 2008-05-12 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\ian\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 16:51 . 2008-05-12 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 16:56 . 2008-05-10 16:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-09 20:07 . 2008-05-09 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-05-09 17:55 . 2008-05-09 17:59 <DIR> d-------- C:\Documents and Settings\ian\Application Data\Sierra Wireless
2008-05-09 17:55 . 2007-11-06 15:59 25,736 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-05-09 17:54 . 2008-05-09 17:54 <DIR> d-------- C:\Program Files\Telstra
2008-05-09 17:54 . 2008-05-09 17:55 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-05-09 16:48 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Windows Mobile Resources
2008-05-07 21:31 . 2008-05-07 21:31 <DIR> d-------- C:\WINDOWS\Sun
2008-05-07 21:30 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 21:29 . 2008-05-07 21:31 <DIR> d-------- C:\Program Files\Java
2008-05-07 21:09 . 2008-05-07 21:09 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 07:29 . 2008-05-06 07:29 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2008-05-06 07:28 . 2008-05-06 07:28 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2008-05-05 15:30 . 2008-05-05 15:30 <DIR> d-------- C:\Program Files\Microsoft ASP.NET
2008-05-05 15:22 . 2008-05-05 15:23 <DIR> d-------- C:\WINDOWS\system32\msmq
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191\ASPNET
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191
2008-05-05 15:16 . 2008-05-16 09:52 1,024 --ah----- C:\Documents and Settings\WS191\ASPNET\ntuser.dat.LOG
2008-05-05 15:14 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\ESi
2008-05-05 15:11 . 2008-05-05 15:28 <DIR> d-------- C:\Program Files\Common Files\ESi
2008-05-05 14:48 . 2008-05-05 14:48 <DIR> d-------- C:\Program Files\Microsoft Analysis Services
2008-05-05 09:12 . 2008-05-05 09:16 <DIR> d-------- C:\Emergeo
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-04-28 20:02 . 2008-04-28 20:02 <DIR> d-------- C:\Program Files\iBurst Terminal
2008-04-28 20:02 . 2006-03-29 03:25 37,362 --a------ C:\WINDOWS\system32\drivers\iBurstu.sys
2008-04-27 10:41 . 2008-04-27 10:41 51,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 10:39 . 2008-04-27 10:42 <DIR> d-------- C:\Program Files\mIRC
2008-04-27 10:39 . 2008-04-27 10:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-23 15:52 . 2008-04-23 15:52 <DIR> d-------- C:\Documents and Settings\ian\Application Data\AdobeUM
2008-04-23 14:33 . 2008-04-23 14:33 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-23 14:32 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-23 14:29 . 2008-04-23 14:29 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-23 14:28 . 2008-04-23 14:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-23 14:22 . 2008-04-23 14:40 <DIR> d-------- C:\Documents and Settings\digital
2008-04-23 14:22 . 2008-05-16 09:52 1,024 --ah----- C:\Documents and Settings\digital\ntuser.dat.LOG
2008-04-23 11:43 . 2008-04-23 11:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 11:40 . 2008-05-16 10:08 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-23 11:39 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 11:39 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 11:38 . 2008-04-23 11:39 <DIR> d-------- C:\Program Files\Symantec
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-04-23 11:37 . 2008-05-16 10:09 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:36 . 2008-04-23 14:15 <DIR> d-------- C:\TEMP
2008-04-22 20:35 . 2008-04-22 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-22 20:33 . 2008-04-22 20:33 <DIR> d-------- C:\Documents and Settings\ian\Contacts
2008-04-22 20:12 . 2008-04-22 20:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 20:11 . 2008-04-22 20:32 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 20:11 . 2008-04-22 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 19:44 . 2006-08-23 11:45 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\SWSetup
2008-04-22 19:43 . 2006-08-23 11:47 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-22 19:43 . 2006-08-23 11:47 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-22 19:43 . 2006-08-23 11:47 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-04-22 12:20 . 2008-04-22 12:20 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-22 12:18 . 2008-04-22 12:20 <DIR> d-------- C:\Inetpub
2008-04-22 10:56 . 2008-05-13 11:47 223 --a------ C:\WINDOWS\hpbafd.ini
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 08:53 . 2006-10-05 02:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-22 08:53 . 2006-10-05 02:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-22 08:53 . 2006-10-05 02:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\timesheet
2008-04-22 08:51 . 2008-04-22 08:51 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-22 08:51 . 2008-04-22 08:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-22 08:48 . 2008-05-05 09:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 08:48 . 2008-04-22 08:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 07:35 . 2008-04-22 07:37 <DIR> d-------- C:\I386
2008-04-22 07:29 . 2007-12-07 14:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 07:29 . 2007-04-17 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 07:29 . 2007-03-08 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 07:29 . 2007-12-07 14:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 07:29 . 2007-12-07 14:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 07:29 . 2007-12-07 14:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:29 . 2007-12-07 14:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 07:29 . 2007-12-07 14:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 07:29 . 2007-12-06 23:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 15:59 . 2008-04-21 15:59 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-21 15:18 . 2008-04-21 15:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-21 15:15 . 2006-08-21 21:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-21 15:15 . 2006-08-21 21:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-21 15:15 . 2006-08-22 00:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-21 15:01 . 2007-07-10 01:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 14:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 14:29 . 2008-04-21 14:37 <DIR> d-------- C:\Tools
2008-04-21 14:27 . 2008-05-05 14:09 <DIR> d-------- C:\Projects
2008-04-21 14:27 . 2008-04-21 14:28 <DIR> d-------- C:\Data
2008-04-21 14:03 . 2008-05-06 07:30 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-04-21 13:55 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\WINDOWS\Symbols
2008-04-21 13:47 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-04-21 13:47 . 2008-04-21 13:53 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-21 13:47 . 2008-04-21 13:48 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-04-21 13:45 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-21 13:45 . 2008-05-06 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-21 12:33 . 2008-04-21 12:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-21 12:31 . 2008-04-21 12:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 12:31 . 2004-08-04 00:56 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-04-21 12:31 . 2004-08-04 00:56 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 12:38 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 03:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 20:39 --------- d-----w C:\Program Files\HPQ
2008-04-20 20:31 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-05-15_10.36.14.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 22:29:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-15 22:09:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 22:32:28 236,186 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-15 22:11:48 236,193 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F51DC88-C6D1-4BC3-9449-04C1F2EF6B5D}]
2008-05-15 10:43 318848 --a------ C:\WINDOWS\system32\iifefDwt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AADF6EE0-4C4A-43E8-BEC7-31A310DCD423}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-10-08 07:31 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-10-08 07:27 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 12:30 85184]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WatcherHelper"="C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [2007-10-29 12:03 120088]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
iBurst_Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2008-04-28 20:02:32 311296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"<NO NAME>"=
"C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 PullService;Pull Service;"C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe" [2008-05-05 15:30]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 14:15]
R3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2006-03-29 03:25]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-11-06 15:59]
S2 LightScribeService Direct;LightScribeService;C:\WINDOWS\system\WINSPOOLS.EXE [2005-04-24 18:00]
S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-23 21:13]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 SWNC8U55;Sierra Wireless MUX NDIS Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swnc8u55.sys [2007-09-21 15:47]
S3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swumx55.sys [2007-09-21 15:48]
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
blzahe REG_MULTI_SZ blzahe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 22:13:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 02:16:40 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 10:11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-16 10:16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 22:15:57
ComboFix2.txt 2008-05-14 22:37:10

Pre-Run: 14,525,427,712 bytes free
Post-Run: 14,539,411,456 bytes free

322 --- E O F --- 2008-05-05 19:34:02


----------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23, on 2008-05-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [30e61868] rundll32.exe "C:\WINDOWS\system32\ppcbchad.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D240CC0-B19F-4095-A7CB-24A6731C5338}: NameServer = 203.98.90.25 203.98.90.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8044 bytes

#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 16 May 2008 - 12:29 AM

Hello IanD11,

You missed this step. Please rename HijackThis and post a new log.

RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 16 May 2008 - 05:42 AM

Hello IanD11,

Additionall with posting a new renamed HijackThis log, i want you to locate this file:

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following file:

C:\QooBox\Quarantine\Registry_backups\Service_blzahe.reg.dat

Right-Click and open with Notepad.
Copy/Past back the contents of the file please.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 16 May 2008 - 07:22 AM

Sorry,

here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20, on 2008-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C35534B-E780-41D7-92AC-57C56731722C} - (no file)
O2 - BHO: (no name) - {4BA319B7-1DD4-4291-B598-EB12D3718F7C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {84FEBFF8-945B-4F9A-B9B8-B68EC5020770} - (no file)
O2 - BHO: (no name) - {8F51DC88-C6D1-4BC3-9449-04C1F2EF6B5D} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {939662DB-93A0-4672-91F1-79BFCA8DBCF3} - (no file)
O2 - BHO: (no name) - {AADF6EE0-4C4A-43E8-BEC7-31A310DCD423} - (no file)
O2 - BHO: (no name) - {B139642C-0F49-4630-812B-37B559803458} - (no file)
O2 - BHO: (no name) - {E36A7416-929C-4970-A3CD-BEE0365A4847} - (no file)
O2 - BHO: (no name) - {ECEC4C49-5AAF-4127-B2F3-5378F44F5457} - C:\WINDOWS\system32\iifefDwt.dll (file missing)
O2 - BHO: (no name) - {FF63FA08-CF03-438E-BEA3-D1C1E0E7C848} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D240CC0-B19F-4095-A7CB-24A6731C5338}: NameServer = 203.98.90.25 203.98.90.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvUkJAp - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 9441 bytes


------------------------------------------------------------------------------------

here is the contents of the file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\blzahe]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,\
00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,\
62,00,6c,00,7a,00,61,00,68,00,65,00,00,00
"DisplayName"="blzahe"
"ObjectName"="LocalSystem"
"Description"="Microsoft .NET Framework TPM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\blzahe\parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
67,00,64,00,67,00,70,00,66,00,6f,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\blzahe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\blzahe\Enum]
"0"="Root\\LEGACY_BLZAHE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 16 May 2008 - 02:15 PM

Hello IanD11,

Reset Teatimer

Download http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Unzip the tool to your desktop.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/146789/virtumonde-problem/
    
    KILLALL::
    
    Collect::
    C:\WINDOWS\system32\iifefDwt.dll
    
    Driver::
    blzahe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F51DC88-C6D1-4BC3-9449-04C1F2EF6B5D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AADF6EE0-4C4A-43E8-BEC7-31A310DCD423}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECEC4C49-5AAF-4127-B2F3-5378F44F5457}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    @=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "blzahe"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 16 May 2008 - 05:44 PM

Hi Chryssi2001,

Thanks for all your help so far. I can al ready see the computer running better!

here are the logs


ComboFix 08-05-12.1 - Ian 2008-05-17 10:27:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT 12:00]
Running from: C:\Documents and Settings\ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ian\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dahcbcpp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\twDfefii.ini
C:\WINDOWS\system32\twDfefii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 10:21 . 2008-05-16 10:21 91,264 --a------ C:\WINDOWS\system32\ppcbchad.dll
2008-05-15 10:43 . 2008-05-15 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 18:32 . 2008-05-14 18:32 <DIR> d-------- C:\Deckard
2008-05-13 12:02 . 2008-05-14 07:36 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 10:57 . 2008-05-16 13:59 499 --a------ C:\WINDOWS\wininit.ini
2008-05-13 10:13 . 2008-05-13 10:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 10:13 . 2008-05-13 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:50 . 2008-05-12 20:00 2,522 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 19:49 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 19:49 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 19:49 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-12 19:49 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-12 19:49 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 19:49 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-12 17:02 . 2008-05-12 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\ian\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 16:51 . 2008-05-12 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 16:56 . 2008-05-10 16:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-09 20:07 . 2008-05-09 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-05-09 17:55 . 2008-05-09 17:59 <DIR> d-------- C:\Documents and Settings\ian\Application Data\Sierra Wireless
2008-05-09 17:55 . 2007-11-06 15:59 25,736 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-05-09 17:54 . 2008-05-09 17:54 <DIR> d-------- C:\Program Files\Telstra
2008-05-09 17:54 . 2008-05-09 17:55 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-05-09 16:48 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Windows Mobile Resources
2008-05-07 21:31 . 2008-05-07 21:31 <DIR> d-------- C:\WINDOWS\Sun
2008-05-07 21:30 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 21:29 . 2008-05-07 21:31 <DIR> d-------- C:\Program Files\Java
2008-05-07 21:09 . 2008-05-07 21:09 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 07:29 . 2008-05-06 07:29 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2008-05-06 07:28 . 2008-05-06 07:28 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2008-05-05 15:30 . 2008-05-05 15:30 <DIR> d-------- C:\Program Files\Microsoft ASP.NET
2008-05-05 15:22 . 2008-05-05 15:23 <DIR> d-------- C:\WINDOWS\system32\msmq
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191\ASPNET
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191
2008-05-05 15:16 . 2008-05-17 02:31 1,024 --ah----- C:\Documents and Settings\WS191\ASPNET\ntuser.dat.LOG
2008-05-05 15:14 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\ESi
2008-05-05 15:11 . 2008-05-05 15:28 <DIR> d-------- C:\Program Files\Common Files\ESi
2008-05-05 14:48 . 2008-05-05 14:48 <DIR> d-------- C:\Program Files\Microsoft Analysis Services
2008-05-05 09:12 . 2008-05-05 09:16 <DIR> d-------- C:\Emergeo
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-04-28 20:02 . 2008-04-28 20:02 <DIR> d-------- C:\Program Files\iBurst Terminal
2008-04-28 20:02 . 2006-03-29 03:25 37,362 --a------ C:\WINDOWS\system32\drivers\iBurstu.sys
2008-04-27 10:41 . 2008-04-27 10:41 51,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 10:39 . 2008-04-27 10:42 <DIR> d-------- C:\Program Files\mIRC
2008-04-27 10:39 . 2008-04-27 10:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-23 15:52 . 2008-04-23 15:52 <DIR> d-------- C:\Documents and Settings\ian\Application Data\AdobeUM
2008-04-23 14:33 . 2008-04-23 14:33 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-23 14:32 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-23 14:29 . 2008-04-23 14:29 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-23 14:28 . 2008-04-23 14:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-23 14:22 . 2008-04-23 14:40 <DIR> d-------- C:\Documents and Settings\digital
2008-04-23 14:22 . 2008-05-17 01:02 1,024 --ah----- C:\Documents and Settings\digital\ntuser.dat.LOG
2008-04-23 11:43 . 2008-04-23 11:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 11:40 . 2008-05-17 10:27 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-23 11:39 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 11:39 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 11:38 . 2008-04-23 11:39 <DIR> d-------- C:\Program Files\Symantec
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-04-23 11:37 . 2008-05-17 10:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:36 . 2008-04-23 14:15 <DIR> d-------- C:\TEMP
2008-04-22 20:35 . 2008-04-22 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-22 20:33 . 2008-04-22 20:33 <DIR> d-------- C:\Documents and Settings\ian\Contacts
2008-04-22 20:12 . 2008-04-22 20:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 20:11 . 2008-04-22 20:32 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 20:11 . 2008-04-22 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 19:44 . 2006-08-23 11:45 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\SWSetup
2008-04-22 19:43 . 2006-08-23 11:47 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-22 19:43 . 2006-08-23 11:47 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-22 19:43 . 2006-08-23 11:47 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-04-22 12:20 . 2008-04-22 12:20 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-22 12:18 . 2008-04-22 12:20 <DIR> d-------- C:\Inetpub
2008-04-22 10:56 . 2008-05-13 11:47 223 --a------ C:\WINDOWS\hpbafd.ini
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 08:53 . 2006-10-05 02:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-22 08:53 . 2006-10-05 02:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-22 08:53 . 2006-10-05 02:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\timesheet
2008-04-22 08:51 . 2008-04-22 08:51 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-22 08:51 . 2008-04-22 08:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-22 08:48 . 2008-05-05 09:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 08:48 . 2008-04-22 08:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 07:35 . 2008-04-22 07:37 <DIR> d-------- C:\I386
2008-04-22 07:29 . 2007-12-07 14:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 07:29 . 2007-04-17 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 07:29 . 2007-03-08 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 07:29 . 2007-12-07 14:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 07:29 . 2007-12-07 14:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 07:29 . 2007-12-07 14:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:29 . 2007-12-07 14:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 07:29 . 2007-12-07 14:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 07:29 . 2007-12-06 23:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 15:59 . 2008-04-21 15:59 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-21 15:18 . 2008-04-21 15:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-21 15:15 . 2006-08-21 21:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-21 15:15 . 2006-08-21 21:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-21 15:15 . 2006-08-22 00:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-21 15:01 . 2007-07-10 01:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 14:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 14:29 . 2008-04-21 14:37 <DIR> d-------- C:\Tools
2008-04-21 14:27 . 2008-05-05 14:09 <DIR> d-------- C:\Projects
2008-04-21 14:27 . 2008-04-21 14:28 <DIR> d-------- C:\Data
2008-04-21 14:03 . 2008-05-06 07:30 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-04-21 13:55 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\WINDOWS\Symbols
2008-04-21 13:47 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-04-21 13:47 . 2008-04-21 13:53 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-21 13:47 . 2008-04-21 13:48 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-04-21 13:45 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-21 13:45 . 2008-05-06 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-21 12:33 . 2008-04-21 12:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-21 12:31 . 2008-04-21 12:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 12:31 . 2004-08-04 00:56 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-04-21 12:31 . 2004-08-04 00:56 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 12:38 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 03:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 20:39 --------- d-----w C:\Program Files\HPQ
2008-04-20 20:31 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-05-15_10.36.14.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 22:29:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 22:32:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-14 22:32:28 236,186 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-16 22:34:10 236,196 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F51DC88-C6D1-4BC3-9449-04C1F2EF6B5D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AADF6EE0-4C4A-43E8-BEC7-31A310DCD423}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-10-08 07:31 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-10-08 07:27 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 12:30 85184]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WatcherHelper"="C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [2007-10-29 12:03 120088]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
iBurst_Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2008-04-28 20:02:32 311296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 PullService;Pull Service;"C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe" [2008-05-05 15:30]
R3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2006-03-29 03:25]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-11-06 15:59]
S2 LightScribeService Direct;LightScribeService;C:\WINDOWS\system\WINSPOOLS.EXE [2005-04-24 18:00]
S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-23 21:13]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 SWNC8U55;Sierra Wireless MUX NDIS Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swnc8u55.sys [2007-09-21 15:47]
S3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swumx55.sys [2007-09-21 15:48]
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 22:35:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 02:16:40 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 10:34:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-17 10:38:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 22:38:28
ComboFix2.txt 2008-05-15 22:16:04
ComboFix3.txt 2008-05-14 22:37:10

Pre-Run: 14,509,764,608 bytes free
Post-Run: 14,505,512,960 bytes free

274 --- E O F --- 2008-05-05 19:34:02






--------------------------------------------------------------
here is the hijackthis log
--------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40, on 2008-05-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8406 bytes

#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 17 May 2008 - 01:14 AM

Hello IanD11,

I am glad the pc is running better but there is still infection there.
Something is not working right with my fix.
We will have to repeat it.
----------------------------------------------
Did you follow this step? If not please do it, and let me know.

Reset Teatimer

Download http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Unzip the tool to your desktop.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Delete ResetTeaTimer.bat
----------------------------------------------
Before we continue i need you to do the following:

Set Your Computer to Show All Files
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Show hidden files and folders.
  • Uncheck Hide protected operating system files (recommended).
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom.
Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
  • Now double click on My Computer
  • Double click on Local Disk C:
  • Double click on the Windows Folder.
  • Double ckick on the System32 Folder.
  • Double ckick on the Drivers Folder.
  • Locate the file, beep.sys]
  • Right click on it and click Properties.
  • Click on the Version tab (if one is showing). If no Version tab, just close the window and let me know.
  • Let me know what it says under the Company.
  • Let me know what it says under the Product Name.
----------------------------------------------
Post back and let me know about both matters so we may continue.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 17 May 2008 - 09:40 AM

Yes, I did follow that step. It brought up a cmd window for a split second and then goes away. Doesn'y appear to do much.

On that file. The company is Microsoft Corporation. Product Name is Microsoft® Windows® Operating System.

In a previous step you told me to disable the tea timer. I thought I had done this but every time I restarted windows (or Combo Fix did) it started up again. I have re gone through this step

Second step, For Either Version :
Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

and now when I restart it does not automatically start up.

Could this have been causing problems?

Ian

#14 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 17 May 2008 - 11:32 AM

Hi IanD11,

I want Spybot Search & Destroy Disabled. It can prevent my fixes. I suspected it was not disabled, that's why i gave you that file to run.

Using the same method with the 2 steps, you can re-enable Tea Timer and make Spybot start when the pc boots, after we finish cleaning your pc..

Please remember, no Anti-Virus, no Firewall, no Windows Defender, or other protective programs, when you will run Combofix.
Also all browsers and other windows should be closed.

Now let's re-try to remove remaining infections.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KILLALL::
    
    File::
    C:\WINDOWS\system32\ppcbchad.dll
    C:\WINDOWS\system32\tuvUkJAp.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C35534B-E780-41D7-92AC-57C56731722C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BA319B7-1DD4-4291-B598-EB12D3718F7C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F51DC88-C6D1-4BC3-9449-04C1F2EF6B5D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{939662DB-93A0-4672-91F1-79BFCA8DBCF3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AADF6EE0-4C4A-43E8-BEC7-31A310DCD423}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B139642C-0F49-4630-812B-37B559803458}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36A7416-929C-4970-A3CD-BEE0365A4847}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF63FA08-CF03-438E-BEA3-D1C1E0E7C848}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvUkJAp]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new Hijackthis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#15 IanD11

IanD11
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 17 May 2008 - 06:22 PM

Ok, that seemed to run a bit better. Didn't have any problems re starting and such.

here are the logs.

ComboFix 08-05-12.1 - Ian 2008-05-18 10:57:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT 12:00]
Running from: C:\Documents and Settings\ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ian\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ppcbchad.dll
C:\WINDOWS\system32\tuvUkJAp.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-17 13:53 . 2008-05-17 13:53 0 --a------ C:\WINDOWS\vpc32.INI
2008-05-15 10:43 . 2008-05-15 10:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-15 00:51 . 2008-05-15 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-14 18:32 . 2008-05-14 18:32 <DIR> d-------- C:\Deckard
2008-05-13 12:02 . 2008-05-18 03:49 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-13 10:57 . 2008-05-16 13:59 499 --a------ C:\WINDOWS\wininit.ini
2008-05-13 10:13 . 2008-05-13 10:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-13 10:13 . 2008-05-13 10:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 19:50 . 2008-05-12 20:00 2,522 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 19:49 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-12 19:49 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-12 19:49 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-12 19:49 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-12 19:49 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-12 19:49 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-12 17:02 . 2008-05-12 17:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\ian\Application Data\SUPERAntiSpyware.com
2008-05-12 16:57 . 2008-05-12 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-12 16:51 . 2008-05-12 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 16:56 . 2008-05-10 16:56 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-09 20:07 . 2008-05-09 20:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sierra Wireless
2008-05-09 17:55 . 2008-05-09 17:59 <DIR> d-------- C:\Documents and Settings\ian\Application Data\Sierra Wireless
2008-05-09 17:55 . 2007-11-06 15:59 25,736 -ra------ C:\WINDOWS\system32\drivers\swmsflt.sys
2008-05-09 17:54 . 2008-05-09 17:54 <DIR> d-------- C:\Program Files\Telstra
2008-05-09 17:54 . 2008-05-09 17:55 <DIR> d-------- C:\Program Files\Sierra Wireless Inc
2008-05-09 16:48 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Windows Mobile Resources
2008-05-07 21:31 . 2008-05-07 21:31 <DIR> d-------- C:\WINDOWS\Sun
2008-05-07 21:30 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-07 21:29 . 2008-05-07 21:31 <DIR> d-------- C:\Program Files\Java
2008-05-07 21:09 . 2008-05-07 21:09 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 07:29 . 2008-05-06 07:29 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2008-05-06 07:28 . 2008-05-06 07:28 <DIR> d-------- C:\WINDOWS\RS9_KB934458_ENU
2008-05-05 15:30 . 2008-05-05 15:30 <DIR> d-------- C:\Program Files\Microsoft ASP.NET
2008-05-05 15:22 . 2008-05-05 15:23 <DIR> d-------- C:\WINDOWS\system32\msmq
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191\ASPNET
2008-05-05 15:16 . 2008-05-05 15:16 <DIR> d-------- C:\Documents and Settings\WS191
2008-05-05 15:16 . 2008-05-18 10:54 1,024 --ah----- C:\Documents and Settings\WS191\ASPNET\ntuser.dat.LOG
2008-05-05 15:14 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\ESi
2008-05-05 15:11 . 2008-05-05 15:28 <DIR> d-------- C:\Program Files\Common Files\ESi
2008-05-05 14:48 . 2008-05-05 14:48 <DIR> d-------- C:\Program Files\Microsoft Analysis Services
2008-05-05 09:12 . 2008-05-05 09:16 <DIR> d-------- C:\Emergeo
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-04-29 23:19 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-04-28 20:02 . 2008-04-28 20:02 <DIR> d-------- C:\Program Files\iBurst Terminal
2008-04-28 20:02 . 2006-03-29 03:25 37,362 --a------ C:\WINDOWS\system32\drivers\iBurstu.sys
2008-04-27 10:41 . 2008-04-27 10:41 51,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-27 10:39 . 2008-04-27 10:42 <DIR> d-------- C:\Program Files\mIRC
2008-04-27 10:39 . 2008-04-27 10:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-23 15:52 . 2008-04-23 15:52 <DIR> d-------- C:\Documents and Settings\ian\Application Data\AdobeUM
2008-04-23 14:33 . 2008-04-23 14:33 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-04-23 14:32 . 2008-05-09 16:48 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-23 14:29 . 2008-04-23 14:29 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-23 14:28 . 2008-04-23 14:32 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-23 14:22 . 2008-04-23 14:40 <DIR> d-------- C:\Documents and Settings\digital
2008-04-23 14:22 . 2008-05-18 10:54 1,024 --ah----- C:\Documents and Settings\digital\ntuser.dat.LOG
2008-04-23 11:43 . 2008-04-23 11:44 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-23 11:40 . 2008-05-18 10:57 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-23 11:39 . 2005-04-01 20:36 123,200 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-23 11:39 . 2005-04-01 20:36 91,856 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-23 11:38 . 2008-04-23 11:39 <DIR> d-------- C:\Program Files\Symantec
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Program Files\Symantec Client Security
2008-04-23 11:37 . 2008-05-18 11:02 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-23 11:37 . 2008-04-23 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-23 11:36 . 2008-04-23 14:15 <DIR> d-------- C:\TEMP
2008-04-22 20:35 . 2008-04-22 20:35 <DIR> d-------- C:\Documents and Settings\Administrator\Contacts
2008-04-22 20:33 . 2008-04-22 20:33 <DIR> d-------- C:\Documents and Settings\ian\Contacts
2008-04-22 20:12 . 2008-04-22 20:32 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-22 20:11 . 2008-04-22 20:32 <DIR> d-------- C:\Program Files\Windows Live
2008-04-22 20:11 . 2008-04-22 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 19:44 . 2006-08-23 11:45 53,248 --a------ C:\WINDOWS\iwlandrvxpver.dll
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-22 19:43 . 2008-04-22 19:43 <DIR> d-------- C:\SWSetup
2008-04-22 19:43 . 2006-08-23 11:47 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-04-22 19:43 . 2006-08-23 11:47 2,206,720 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-04-22 19:43 . 2006-08-23 11:47 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-04-22 12:20 . 2008-04-22 12:20 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-22 12:18 . 2008-04-22 12:20 <DIR> d-------- C:\Inetpub
2008-04-22 10:56 . 2008-05-17 11:30 343 --a------ C:\WINDOWS\hpbafd.ini
2008-04-22 08:53 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 08:53 . 2006-10-05 02:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-04-22 08:53 . 2006-10-05 02:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-04-22 08:53 . 2006-10-05 02:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-04-22 08:52 . 2008-04-22 08:53 <DIR> d-------- C:\Program Files\timesheet
2008-04-22 08:51 . 2008-04-22 08:51 286,720 --------- C:\WINDOWS\Setup1.exe
2008-04-22 08:51 . 2008-04-22 08:51 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-22 08:48 . 2008-05-05 09:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 08:48 . 2008-04-22 08:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 07:35 . 2008-04-22 07:37 <DIR> d-------- C:\I386
2008-04-22 07:29 . 2007-12-07 14:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 07:29 . 2007-04-17 21:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 07:29 . 2007-03-08 17:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 07:29 . 2007-12-07 14:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 07:29 . 2007-12-07 14:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 07:29 . 2007-12-07 14:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 07:29 . 2007-12-07 14:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 07:29 . 2007-12-07 14:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 07:29 . 2007-12-06 23:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-21 15:59 . 2008-04-21 15:59 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-21 15:18 . 2008-04-21 15:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-21 15:15 . 2006-08-21 21:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-21 15:15 . 2006-08-21 21:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-21 15:15 . 2006-08-22 00:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-21 15:01 . 2007-07-10 01:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-21 14:50 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-21 14:29 . 2008-04-21 14:37 <DIR> d-------- C:\Tools
2008-04-21 14:27 . 2008-05-05 14:09 <DIR> d-------- C:\Projects
2008-04-21 14:27 . 2008-04-21 14:28 <DIR> d-------- C:\Data
2008-04-21 14:03 . 2008-05-06 07:30 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-04-21 14:02 . 2008-04-21 14:02 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-04-21 13:55 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\WINDOWS\Symbols
2008-04-21 13:47 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-04-21 13:47 . 2008-04-21 13:53 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-04-21 13:47 . 2008-04-21 13:48 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-04-21 13:47 . 2008-04-21 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-04-21 13:45 . 2008-04-21 13:55 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-21 13:45 . 2008-05-06 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-21 12:33 . 2008-04-21 12:33 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-21 12:31 . 2008-04-21 12:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-21 12:31 . 2004-08-04 00:56 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-04-21 12:31 . 2004-08-04 00:56 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 12:38 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-27 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 03:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 20:39 --------- d-----w C:\Program Files\HPQ
2008-04-20 20:31 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-05-15_10.36.14.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 22:29:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-17 23:02:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 23:29:15 15,872 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_0j25yslm.dll
+ 2008-05-16 23:21:43 155,648 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_6l0y3iba.dll
+ 2008-05-16 23:24:17 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_dg9ftaob.dll
+ 2008-05-16 23:23:06 69,632 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_mcjzdrkh.dll
+ 2008-05-16 23:22:35 28,672 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_vbpv2jct.dll
+ 2008-05-16 23:21:44 139,264 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_xif_ngec.dll
+ 2008-05-16 23:21:53 49,152 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_xm8ld0zq.dll
+ 2008-05-16 23:25:17 40,960 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\eoc6\695caad4\b52b71c0\App_Web_zxlww4va.dll
- 2008-05-14 22:32:28 236,186 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-17 23:04:01 236,182 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 04:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-10-08 07:31 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-10-08 07:27 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-04-17 12:30 85184]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WatcherHelper"="C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe" [2007-10-29 12:03 120088]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
iBurst_Terminal UTL.lnk - C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE [2008-04-28 20:02:32 311296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program files\\Telstra\\Telstra Turbo Connection Manager\\SwiApiMux.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 PullService;Pull Service;"C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe" [2008-05-05 15:30]
R3 iBurstu;iBurst Terminal;C:\WINDOWS\system32\DRIVERS\iBurstu.sys [2006-03-29 03:25]
R3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-11-06 15:59]
S2 LightScribeService Direct;LightScribeService;C:\WINDOWS\system\WINSPOOLS.EXE [2005-04-24 18:00]
S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"c:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-23 21:13]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 SWNC8U55;Sierra Wireless MUX NDIS Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swnc8u55.sys [2007-09-21 15:47]
S3 SWUMX55;Sierra Wireless USB MUX Driver (UMTS55);C:\WINDOWS\system32\DRIVERS\swumx55.sys [2007-09-21 15:48]
S3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 23:05:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-23 02:16:40 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 11:04:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\TMP0000002DEED7C5C190BD481F 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-05-18 11:10:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 23:10:11
ComboFix2.txt 2008-05-16 22:38:32
ComboFix3.txt 2008-05-15 22:16:04
ComboFix4.txt 2008-05-14 22:37:10

Pre-Run: 14,496,833,536 bytes free
Post-Run: 14,492,569,600 bytes free

268 --- E O F --- 2008-05-05 19:34:02



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18, on 2008-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iBurst Terminal\iBurst_Terminal_UTL.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WatcherHelper] "C:\Program files\Telstra\Telstra Turbo Connection Manager\WaHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iBurst_Terminal UTL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O17 - HKLM\Software\..\Telephony: DomainName = ca1.critchlow.co.nz
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D240CC0-B19F-4095-A7CB-24A6731C5338}: NameServer = 203.98.90.25 203.98.90.27
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ca1.critchlow.co.nz
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Pull Service (PullService) - Unknown owner - C:\Program Files\ESi\WebEOC 7\EOC Professional\pullservice\PullService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 8180 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users