Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Won't Go Away


  • This topic is locked This topic is locked
12 replies to this topic

#1 lawrencep

lawrencep

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 04 June 2008 - 03:00 PM

I've searched and downloaded about everything to no avail. SuperAntiSpyware says it's removed but SpySweeper says it's still there. VundoFix didn't find anything to fix. IE pretty much stops when trying to search and I see a lot of files being downloaded(?) in the footer of the window. Below are the logs from DSS per the preparation guide. Thanks for the help.

Deckard's System Scanner v20071014.68
Run by Patrick Lawrence on 2008-06-04 15:30:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
75: 2008-06-04 19:30:44 UTC - RP277 - Deckard's System Scanner Restore Point
74: 2008-06-04 04:16:34 UTC - RP276 - System Checkpoint
73: 2008-06-02 11:15:06 UTC - RP275 - System Checkpoint
72: 2008-06-01 00:56:00 UTC - RP274 - Installed SUPERAntiSpyware Free Edition
71: 2008-05-30 20:13:07 UTC - RP273 - System Checkpoint


-- First Restore Point --
1: 2008-05-29 19:29:49 UTC - RP203 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Patrick Lawrence.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:00 PM, on 6/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\TVHarmony\AutoPilot.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\java.exe
C:\Documents and Settings\Patrick Lawrence\Desktop\Malware Repair Utilities\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Patrick Lawrence.exe
C:\WINDOWS\system32\msfeedssync.exe

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [b89620d6] rundll32.exe "C:\WINDOWS\system32\ijsabbyw.dll",b
O4 - HKLM\..\Run: [BMbba5134a] Rundll32.exe "C:\WINDOWS\system32\tebclfpc.dll",s
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BMbba5134a] "Rundll32.exe" "C:\WINDOWS\system32\tebclfpc.dll",s
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TVHarmony AutoPilot.lnk = C:\Program Files\TVHarmony\AutoPilot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193764981687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: RunOnceWin - {81c5a621-be44-4aab-9e5d-970712f89e78} - C:\WINDOWS\Installer\{81c5a621-be44-4aab-9e5d-970712f89e78}\RunOnceWin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Web\Act.Scheduler.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14573 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080406-221119-967 O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
backup-20080530-143008-141 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080530-143008-224 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080530-143008-695 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080530-143008-920 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080603-234705-119 O2 - BHO: {c312a53c-4fc6-1c59-98e4-7f191e1e9740} - {0479e1e1-91f7-4e89-95c1-6cf4c35a213c} - C:\WINDOWS\system32\uivvxppc.dll (file missing)
backup-20080603-234705-224 O2 - BHO: (no name) - {DDB23648-CEF1-43B1-9476-7E60992DC5B7} - C:\WINDOWS\system32\geBQjGAs.dll (file missing)
backup-20080603-234705-472 O2 - BHO: (no name) - {F879CB04-B629-4787-92AD-498484B131D2} - (no file)
backup-20080604-080204-465 O20 - Winlogon Notify: hgGwVLcy - hgGwVLcy.dll (file missing)
backup-20080604-080204-797 O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 AteksoftAudio (WebCamera Plus Audio) - c:\windows\system32\drivers\ateksoftaudio.sys <Not Verified; Ateksoft; WebCamera Plus Audio>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
R3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
R3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft® Windows NT® Operating System>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S2 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks; Contivity VPN Client>
S3 BCOREUSB (BCOREUSB.Sys CSR test driver) - c:\windows\system32\drivers\bcoreusb.sys <Not Verified; CSR; Bluetooth USB Dongle Device Driver>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver>
S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>
R2 Webcamera Plus Service - c:\program files\ateksoft\webcamera plus\webcamplussrv.exe <Not Verified; Ateksoft Company Ltd.; WebCamera Plus>
R2 WLANKEEPER (Intel® PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSO Service>

S3 ACT! Scheduler - "c:\program files\act\act for web\act.scheduler.exe" <Not Verified; Sage Software SB, Inc; ACT!>
S4 Bluetooth Hid Switch Service - "c:\program files\bluetooth\hidswitchservice\hidsw.exe" <Not Verified; Cambridge Silicon Radio; HID Switch Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-04 15:32:00 444 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{88DA1DC7-CD28-4BB5-9480-4255B69FA2D4}.job
2008-06-04 09:54:39 1484 --a------ C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job
2008-06-04 01:00:01 460 --a------ C:\WINDOWS\Tasks\SyncBack Nightly Backup.job
2008-06-03 17:01:41 470 --a------ C:\WINDOWS\Tasks\SyncBack Update My ISO.job
2008-06-02 07:01:43 494 --a------ C:\WINDOWS\Tasks\SyncBack Update ISO Quality Service Tech.job


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-04 14:14:43 0 dr-h----- C:\Documents and Settings\Patrick Lawrence\Recent
2008-06-04 09:58:10 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-04 09:54:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-04 09:54:32 0 d-------- C:\Program Files\Webroot
2008-06-04 09:54:32 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Webroot
2008-06-04 09:54:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-04 09:52:27 164 --a------ C:\install.dat
2008-06-04 09:17:53 0 d-------- C:\VundoFix Backups
2008-06-04 08:06:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 08:06:57 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:13:25 0 d-------- C:\Program Files\Defraggler
2008-05-31 20:59:25 0 d-------- C:\Program Files\CCleaner
2008-05-31 20:56:23 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-31 20:56:07 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 20:56:07 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\SUPERAntiSpyware.com
2008-05-31 19:06:53 90112 --a------ C:\WINDOWS\system32\mybhkjrr.dll
2008-05-31 18:59:19 109568 --a------ C:\WINDOWS\system32\wgayanlc.dll
2008-05-30 17:13:05 104448 --a------ C:\WINDOWS\system32\ximrnxjk.dll
2008-05-30 17:10:16 90112 -----n--- C:\WINDOWS\system32\lobpbync.dll
2008-05-30 17:04:24 109568 --a------ C:\WINDOWS\system32\ysxsuavk.dll
2008-05-30 16:30:57 803112 --ahs---- C:\WINDOWS\system32\sAGjQBeg.ini2
2008-05-30 15:05:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 03:48:31 101376 -----n--- C:\WINDOWS\system32\ijsabbyw.dll
2008-05-30 03:45:30 111616 --a------ C:\WINDOWS\system32\uaqmisry.dll
2008-05-30 03:33:29 106496 --a------ C:\WINDOWS\system32\tebclfpc.dll
2008-05-29 15:29:38 813720 --ahs---- C:\WINDOWS\system32\SrCeNXyb.ini2
2008-05-29 15:24:41 0 dr-h----- C:\$VAULT$.AVG
2008-05-29 15:24:35 0 d-------- C:\WINDOWS\system32\vntiho05
2008-05-07 11:12:57 0 d-------- C:\WINDOWS\Prefetch
2008-05-07 11:02:47 0 d-------- C:\WINDOWS\system32\scripting
2008-05-07 11:02:45 0 d-------- C:\WINDOWS\l2schemas
2008-05-07 11:02:43 0 d-------- C:\WINDOWS\system32\en
2008-05-07 11:02:43 0 d-------- C:\WINDOWS\system32\bits
2008-05-07 10:58:48 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 10:20:02 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-07 10:19:46 0 d-------- C:\temp


-- Find3M Report ---------------------------------------------------------------

2008-06-04 15:23:45 2358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-04 12:12:05 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\AVG7
2008-06-04 08:31:20 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\FileZilla
2008-06-04 07:02:00 0 d-------- C:\Program Files\LogMeIn
2008-06-02 22:48:46 130 --a------ C:\Documents and Settings\Patrick Lawrence\Application Data\AVSDVDPlayer.m3u
2008-06-02 22:40:25 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\LimeWire
2008-06-02 11:18:02 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\WeatherBug
2008-05-31 20:55:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 11:58:31 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-12 11:57:17 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\AdobeUM
2008-05-12 11:45:37 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Adobe
2008-05-07 11:12:10 0 d-------- C:\Program Files\Messenger
2008-05-07 11:02:42 0 d-------- C:\Program Files\Movie Maker
2008-05-07 10:58:12 0 d-------- C:\Program Files\Windows NT
2008-05-03 10:14:56 0 d-------- C:\Program Files\FileZilla Client
2008-04-22 15:04:54 0 d-------- C:\Program Files\LimeWire
2008-04-21 12:25:06 13007 --a------ C:\Documents and Settings\Patrick Lawrence\Application Data\Comma Separated Values (Windows).CAL
2008-04-16 21:08:03 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\ieSpell
2008-04-16 21:05:03 0 d-------- C:\Program Files\ieSpell
2008-04-08 14:19:56 0 d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\U3
2008-04-07 16:05:04 0 d-------- C:\Program Files\Avery Dennison
2008-03-14 14:25:22 40 --ahs---- C:\Documents and Settings\Patrick Lawrence\Application Data\KR56ZG2YE73GVCXB3T2UDEXAMC
2008-03-12 13:10:18 633344 --a------ C:\WINDOWS\system32\gpprefcl.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-11 10:37:43 37027 --a------ C:\WINDOWS\atmoUn.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [04/13/2008 08:12 PM C:\WINDOWS\system32\rundll32.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/14/2006 06:07 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/14/2006 06:04 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/14/2006 06:08 PM]
"SigmatelSysTrayApp"="stsystra.exe" [07/27/2006 03:19 PM C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 03:13 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [10/18/2006 07:04 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/18/2006 06:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/12/2007 10:34 PM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [11/07/2005 06:20 AM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [12/09/2005 09:29 PM]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [08/03/2007 04:09 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/14/2008 08:57 AM]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [09/28/2007 02:30 PM]
"b89620d6"="C:\WINDOWS\system32\ijsabbyw.dll" [05/30/2008 03:48 AM]
"BMbba5134a"="C:\WINDOWS\system32\tebclfpc.dll" [05/30/2008 03:33 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [08/23/2007 07:31 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 08:12 PM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [12/22/2007 08:51 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [09/25/2007 11:33 AM]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [09/25/2007 11:34 AM]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [09/25/2007 11:35 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"BMbba5134a"="Rundll32.exe" [04/13/2008 08:12 PM C:\WINDOWS\system32\rundll32.exe]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/03/2008 11:26 PM]

C:\Documents and Settings\Patrick Lawrence\Start Menu\Programs\Startup\
TVHarmony AutoPilot.lnk - C:\Program Files\TVHarmony\AutoPilot.exe [9/16/2007 12:17:03 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/24/2003 12:37:56 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [11/18/2005 6:46:00 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 5:21:22 AM]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2/10/2006 8:56:20 AM]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [6/29/2007 5:32:52 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RunOnceWin"= {81c5a621-be44-4aab-9e5d-970712f89e78} - C:\WINDOWS\Installer\{81c5a621-be44-4aab-9e5d-970712f89e78}\RunOnceWin.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBQjGAs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d94a344-a8e4-11dc-a6fe-0016418b4627}]
AutoRun\command- D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acce3a70-eeda-11dc-a743-0015c541e3a3}]
AutoRun\command- D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acce3a71-eeda-11dc-a743-0015c541e3a3}]
AutoRun\command- E:\setupSNK.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8554 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-04 15:34:21 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2400 @ 1.83GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 1014.05 MiB / 388.66 MiB
Pagefile Memory (total/avail): 2440.76 MiB / 1798.56 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.97 MiB

C: is Fixed (NTFS) - 55.89 GiB total, 17.22 GiB free.

\\.\PHYSICALDRIVE0 - FUJITSU MHW2060BH - 55.89 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.89 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Patrick Lawrence\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IVCLAPTOP1071
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Patrick Lawrence
LOGONSERVER=\\IVCLAPTOP1071
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\VISA\WinNTBin;C:\RBMsuite\sys;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp
USERDOMAIN=IVCLAPTOP1071
USERNAME=Patrick Lawrence
USERPROFILE=C:\Documents and Settings\Patrick Lawrence
VXIPNPPATH=C:\VISA
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Patrick Lawrence (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8}
--> MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
ACT! Premium for Web --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{48585FAE-76BF-4193-A2A6-0D400D695C04}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Standard --> MsiExec.exe /I{AC76BA86-1033-0000-BA7E-000000000001}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AI RoboForm --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AnalogX SayIt --> C:\Program Files\AnalogX\SayIt\sayitu.exe
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVS DVD Player version 2.4 --> "C:\Program Files\AVSMedia\DVDPlayer\unins000.exe"
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Broadcom Gigabit Integrated Controller --> MsiExec.exe /X{B7F54262-AB66-44B3-88BF-9FC69941B643}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Citrix ICA Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
CSI RBM ODBC Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Computational Systems, Inc.\CSI RBM ODBC Driver\rbmODBC.isu" -c"C:\Program Files\Computational Systems, Inc.\CSI RBM ODBC Driver\_UNODBC.DLL"
Defraggler (remove only) --> "C:\Program Files\Defraggler\uninst.exe"
Dell Mobile Broadband Card Utility --> MsiExec.exe /X{DF62D775-BB7C-4AFA-9CA4-DDA1C4855F28}
Dell Resource CD --> MsiExec.exe /X{2764CA82-DFB9-4498-AF85-719340BF5305}
DesignPro 5.4 Limited Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{71F6DF7D-B639-4FAD-BA93-E6DF267AA44D}
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FileZilla Client 3.0.9.2 --> C:\Program Files\FileZilla Client\uninstall.exe
Garmin City Navigator North America NT 2008 --> MsiExec.exe /X{819F1E9F-38C9-4313-AF28-C7BC9A03933A}
Garmin MapSource --> MsiExec.exe /X{83FC2D98-CB55-4E05-82C1-EDC8A4E8EDD2}
Garmin Mobile XT - MapInstall - City Navigator North America NT v8 --> MsiExec.exe /X{01DA5A88-DCC2-453C-91CB-CD2B305BFEC2}
Garmin Mobile XT - nRoute - City Navigator North America NT v8 --> MsiExec.exe /X{FB6CD3AB-8B80-4756-A562-56C375D023C4}
GoToMeeting/GoToWebinar 3.0.0.198 --> C:\Program Files\Citrix\GoToMeeting\198\G2MUninstall.exe /uninstall
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart and Deskjet 7.0 Software --> C:\Program Files\HP\Digital Imaging\{76BEC1D7-8A9F-472D-84C7-014BB155E4B2}\setup\hpzscr01.exe -datfile hphscr11.dat -showdisconnect -forcereboot
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
ieSpell --> "C:\Program Files\ieSpell\uninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
IRwin Report 5.3 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\IRwin53\DeIsL1.isu"
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}
Machinery Health Manager --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Computational Systems, Inc.\Machinery Health Manager\v4.90\Typical.isu" -c"C:\Program Files\Computational Systems, Inc.\Machinery Health Manager\v4.90\_UNODBC.DLL"
MainConcept MJPEG Codec Demo --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{805A7890-3138-44E4-8DAA-480C55516989} /l1033
MainConcept MJPG software codec (Remove Only) --> rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\MCMJPG.INF
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 Express Edition (ACT7) --> MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition --> MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NDAS Software 3.20.1523 --> MsiExec.exe /I{07C16B8B-AE11-4515-888F-0BD2E0A9F2AD}
Nortel Networks Contivity VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF964A78-078C-11D1-B7A7-0000C0134CE6}\setup.exe" Uninstall
OZ776 SCR CardBus Windows Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48} /l1033
Pdf995 (installed by TaxCut) --> C:\Program Files\pdf995\setup.exe uninstall
PdfEdit995 (installed by TaxCut) --> C:\Program Files\pdf995\res\utilities\thinsetup.exe - uninstall
Pocket Informant Evo with PlanPlus for Outlook 5 Sync Evo for Vista and XP --> C:\Program Files\WebIS\PPO 5 ActiveSync\uninst.exe
Pocket Informant Pro 2007 --> C:\Program Files\Pocket Informant\uninst.exe
PowerDVD 5.7 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Roxio DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Service Account Manager 1.35 --> "C:\Program Files\Allied Services\SAM\uninstall.exe"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SyncBack --> "C:\Program Files\2BrightSparks\SyncBack\unins000.exe"
TaxCut New Jersey 2007 --> MsiExec.exe /X{0FE55E01-5D5A-4823-A71E-F4F5E8BB473D}
TaxCut Premium + State + Efile 2007 --> MsiExec.exe /X{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}
ThermaCAM Explorer 99 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ThermaCAM Explorer 99\DeIsL1.isu" -c"C:\Program Files\ThermaCAM Explorer 99\_ISREG32.DLL"
TiVo Desktop 2.5.1 --> MsiExec.exe /X{4E839090-3B68-436A-B3CF-A2A08C38DD26}
TVHarmony AutoPilot Beta 2, v38 --> C:\Program Files\TVHarmony\uninst.exe
Ultratrend DMS V2.04 --> MsiExec.exe /X{899D4624-B72E-44AA-AD42-EF7D54177931}
Verizon Online Help and Support --> C:\PROGRA~1\Verizon\UNWISE.EXE C:\PROGRA~1\Verizon\INSTALL.LOG
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
WebCamera Plus 2.0 --> "C:\Program Files\Ateksoft\WebCamera Plus\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type1601 / Warning
Event Submitted/Written: 06/04/2008 03:23:36 PM
Event ID/Source: 25 / Outlook
Event Description:
Unable to update public free/busy data.

Event Record #/Type1566 / Warning
Event Submitted/Written: 06/04/2008 02:27:52 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance ACT7 is not valid.

Event Record #/Type1551 / Error
Event Submitted/Written: 06/04/2008 02:24:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application tosbtproc.exe, version 1.2.14.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [tosbtproc.exe!ws!]

Event Record #/Type1524 / Warning
Event Submitted/Written: 06/04/2008 02:00:11 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance ACT7 is not valid.

Event Record #/Type1475 / Warning
Event Submitted/Written: 06/04/2008 00:11:37 PM
Event ID/Source: 3 / SQLBrowser
Event Description:
The configuration of the AdminConnection\TCP protocol in the SQL instance ACT7 is not valid.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21626 / Warning
Event Submitted/Written: 06/04/2008 02:27:01 PM / 06/04/2008 02:27:28 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type21592 / Warning
Event Submitted/Written: 06/04/2008 01:59:29 PM / 06/04/2008 01:59:57 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type21588 / Error
Event Submitted/Written: 06/04/2008 01:54:27 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type21587 / Error
Event Submitted/Written: 06/04/2008 01:21:21 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type21586 / Error
Event Submitted/Written: 06/04/2008 00:38:43 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Avg7Core
Avg7RsW
Avg7RsXP
Fips
intelppm
IPSec
MRxSmb
ndasfat
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
Tosrfcom
WS2IFSL



-- End of Deckard's System Scanner: finished at 2008-06-04 15:34:21 ------------

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:13 AM

Posted 10 June 2008 - 01:02 PM

Hello lawrencep. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
See you soon,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 10 June 2008 - 01:11 PM

Thank you, Billy. I look forward to your prognosis.

Patrick

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:13 AM

Posted 11 June 2008 - 11:20 AM

Hello, lawrencep.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

We need to run ComboFix.Please include the ComboFix report in your next reply.

Please download SDFix by AndyManchesta and save it to your desktop.
Note: When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
  • Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy and paste the contents of the results file Report.txt in your next reply, along with a new HijackThis log.
Note: If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

Note: If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

Note: If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

In your next reply, be sure to include the ComboFix and SDFix reports.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 11 June 2008 - 01:15 PM

Billy, here they are:

ComboFix
ComboFix 08-06-10.5 - Patrick Lawrence 2008-06-11 13:22:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.415 [GMT -4:00]
Running from: C:\Documents and Settings\Patrick Lawrence\Desktop\Malware Repair Utilities\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\vtmp2
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Installer\{81c5a621-be44-4aab-9e5d-970712f89e78}\RunOnceWin.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cnybpbol.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\otjmkrev.ini
C:\WINDOWS\system32\rrjkhbym.ini
C:\WINDOWS\system32\sAGjQBeg.ini
C:\WINDOWS\system32\sAGjQBeg.ini2
C:\WINDOWS\system32\SrCeNXyb.ini
C:\WINDOWS\system32\SrCeNXyb.ini2
C:\WINDOWS\system32\wybbasji.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-10 13:26 . 2008-06-10 13:26 <DIR> d-------- C:\Program Files\Auslogics
2008-06-10 13:26 . 2008-06-10 13:26 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Auslogics
2008-06-10 13:06 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 13:02 . 2008-04-14 08:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 11:02 . 2008-06-10 11:02 <DIR> d-------- C:\Program Files\NDAS
2008-06-10 11:02 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-06-10 11:02 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-06-10 10:59 . 2008-06-10 11:01 <DIR> d-------- C:\cool
2008-06-10 10:59 . 1997-04-29 08:06 140,288 --a------ C:\WINDOWS\system32\ra3214_4.dll
2008-06-10 10:59 . 1997-05-01 15:01 127,023 --a------ C:\WINDOWS\c96unins.exe
2008-06-10 10:59 . 1997-04-29 08:06 90,624 --a------ C:\WINDOWS\system32\pnc32301.dll
2008-06-10 10:59 . 1997-04-29 08:06 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2008-06-10 10:59 . 1997-04-29 08:06 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2008-06-10 10:59 . 1997-04-29 08:06 13,824 --a------ C:\WINDOWS\system32\ra32dnet.dll
2008-06-09 11:24 . 2008-06-10 11:01 3,817 --a------ C:\WINDOWS\COOL.INI
2008-06-06 13:28 . 2008-06-06 13:28 8,354 --a------ C:\ExpStmtNew.snp
2008-06-06 05:58 . 2008-06-06 05:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-05 22:23 . 2008-06-05 22:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Malwarebytes
2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 22:23 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 22:23 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-04 15:29 . 2008-06-04 15:29 <DIR> d-------- C:\Deckard
2008-06-04 14:09 . 2008-06-04 14:09 0 --a------ C:\WINDOWS\BMbba5134a.xml
2008-06-04 09:58 . 2008-06-04 09:58 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-06-04 09:54 . 2008-06-04 09:54 <DIR> d-------- C:\Program Files\Webroot
2008-06-04 09:54 . 2008-06-04 09:54 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Webroot
2008-06-04 09:54 . 2008-06-04 09:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-04 09:54 . 2008-06-04 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-04 09:54 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-06-04 09:54 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-06-04 09:54 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-06-04 09:54 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-06-04 09:54 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-06-04 09:52 . 2008-06-04 09:52 164 --a------ C:\install.dat
2008-06-04 09:17 . 2008-06-04 09:17 <DIR> d-------- C:\VundoFix Backups
2008-06-04 08:06 . 2008-06-04 08:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-04 08:06 . 2008-06-04 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 23:13 . 2008-05-31 23:13 <DIR> d-------- C:\Program Files\Defraggler
2008-05-31 20:59 . 2008-05-31 20:59 <DIR> d-------- C:\Program Files\CCleaner
2008-05-31 20:56 . 2008-06-03 23:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 20:56 . 2008-05-31 20:56 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\SUPERAntiSpyware.com
2008-05-31 20:56 . 2008-05-31 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 15:05 . 2008-05-31 20:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 15:05 . 2008-05-31 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 15:24 . 2008-05-29 15:24 <DIR> d-------- C:\WINDOWS\system32\vntiho05
2008-05-29 15:24 . 2008-06-02 10:05 <DIR> dr-h----- C:\$VAULT$.AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 12:00 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\AVG7
2008-06-11 11:20 --------- d-----w C:\Program Files\LogMeIn
2008-06-10 18:03 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\WeatherBug
2008-06-10 14:10 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\LimeWire
2008-06-05 19:59 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\FileZilla
2008-06-05 17:56 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\ieSpell
2008-06-04 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-01 00:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 13:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-12 15:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-12 15:57 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\AdobeUM
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 14:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-03 14:14 --------- d-----w C:\Program Files\FileZilla Client
2008-04-22 19:04 --------- d-----w C:\Program Files\LimeWire
2008-04-17 01:05 --------- d-----w C:\Program Files\ieSpell
2008-04-14 12:30 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 18:38 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-13 18:34 163,584 ----a-w C:\WINDOWS\system32\drivers\nwrdr.sys
2008-04-13 18:33 44,544 ----a-w C:\WINDOWS\system32\drivers\fips.sys
2008-04-13 18:32 66,048 ----a-w C:\WINDOWS\system32\drivers\udfs.sys
2008-04-13 18:32 30,848 ----a-w C:\WINDOWS\system32\drivers\npfs.sys
2008-04-13 18:32 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-13 18:32 19,072 ----a-w C:\WINDOWS\system32\drivers\msfs.sys
2007-10-31 13:32 88 --sh--r C:\WINDOWS\system32\6EF445DB58.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2007-08-23 19:31 1343488]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-22 08:51 160592]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-09-25 11:33 1195008]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2007-09-25 11:34 384000]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-09-25 11:35 1495040]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-03 23:26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [2008-04-13 20:12 33280 C:\WINDOWS\system32\rundll32.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 18:07 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-14 18:04 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 18:08 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 15:19 282624 C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-12 22:34 286720]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29 49152]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 08:57 579584]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-21 00:09 219136]

C:\Documents and Settings\Patrick Lawrence\Start Menu\Programs\Startup\
TVHarmony AutoPilot.lnk - C:\Program Files\TVHarmony\AutoPilot.exe [2007-09-16 12:17:03 1146880]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.mjpg"= mcmjpg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nortel\\Extranet.exe"=
"C:\\Program Files\\ACT\\Act for Web\\ActSage.exe"=
"C:\\RBMSuite\\sys\\Mtdbmgr.exe"=
"C:\\RBMSuite\\sys\\netadmin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\TVHarmony\\AutoPilot.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PcHelpWare\\repeater\\phw_repeater.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Ateksoft\\WebCamera Plus\\WebCamPlusSrv.exe"=
"C:\\Program Files\\Ateksoft\\WebCamera Plus\\camviewer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2047:TCP"= 2047:TCP:WebCameraPlus

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7 []
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service []
R2 Webcamera Plus Service;Webcamera Plus Service;C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe [2007-12-25 11:06]
R3 AteksoftAudio;WebCamera Plus Audio;C:\WINDOWS\system32\drivers\ateksoftaudio.sys [2007-12-25 11:06]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-01-09 12:53]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-02-05 11:49]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-01-09 12:53]
S3 ACT! Scheduler;ACT! Scheduler;"C:\Program Files\ACT\ACT for Web\Act.Scheduler.exe" [2007-10-31 09:01]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-02-14 17:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d94a344-a8e4-11dc-a6fe-0016418b4627}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acce3a70-eeda-11dc-a743-0015c541e3a3}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acce3a71-eeda-11dc-a743-0015c541e3a3}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 14:51:26 C:\WINDOWS\Tasks\SyncBack Nightly Backup.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
"2008-06-09 11:00:06 C:\WINDOWS\Tasks\SyncBack Update ISO Quality Service Tech.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe%-m
"2008-06-10 21:00:11 C:\WINDOWS\Tasks\SyncBack Update My ISO.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
"2008-06-11 17:33:08 C:\WINDOWS\Tasks\User_Feed_Synchronization-{88DA1DC7-CD28-4BB5-9480-4255B69FA2D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2008-06-09 06:00:29 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 13:29:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\java.exe
.
**************************************************************************
.
Completion time: 2008-06-11 13:34:20 - machine was rebooted [Patrick Lawrence]
ComboFix-quarantined-files.txt 2008-06-11 17:34:16

Pre-Run: 17,941,413,888 bytes free
Post-Run: 17,966,755,840 bytes free

336 --- E O F --- 2008-06-10 17:17:07

SDFix

SDFix: Version 1.191
Run by Patrick Lawrence on Wed 06/11/2008 at 01:52 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Folder C:\WINDOWS\system32\vntiho05 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 14:00:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016418b4627]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016418b4627]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Nortel\\Extranet.exe"="C:\\Program Files\\Nortel\\Extranet.exe:*:Enabled:Contivity VPN Client"
"C:\\Program Files\\ACT\\Act for Web\\ActSage.exe"="C:\\Program Files\\ACT\\Act for Web\\ActSage.exe:*:Enabled:ACT! 9.x/2007 Workgroup"
"C:\\RBMSuite\\sys\\Mtdbmgr.exe"="C:\\RBMSuite\\sys\\Mtdbmgr.exe:*:Enabled:MtDbMgr"
"C:\\RBMSuite\\sys\\netadmin.exe"="C:\\RBMSuite\\sys\\netadmin.exe:*:Enabled:NetAdmin"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Common Files\\TiVo Shared\\Beacon\\TiVoBeacon.exe"="C:\\Program Files\\Common Files\\TiVo Shared\\Beacon\\TiVoBeacon.exe:LocalSubNet:Enabled:TiVo Beacon Service"
"C:\\Program Files\\Common Files\\TiVo Shared\\Transfer\\TiVoTransfer.exe"="C:\\Program Files\\Common Files\\TiVo Shared\\Transfer\\TiVoTransfer.exe:LocalSubNet:Enabled:TiVo Transfer Service"
"C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"="C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe:LocalSubNet:Enabled:TiVo Server Service"
"C:\\Program Files\\TiVo\\Desktop\\TiVoDesktop.exe"="C:\\Program Files\\TiVo\\Desktop\\TiVoDesktop.exe:LocalSubNet:Enabled:TiVo Desktop User Interface"
"C:\\Program Files\\TVHarmony\\AutoPilot.exe"="C:\\Program Files\\TVHarmony\\AutoPilot.exe:*:Enabled:TVHarmony AutoPilot"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\PcHelpWare\\repeater\\phw_repeater.exe"="C:\\PcHelpWare\\repeater\\phw_repeater.exe:*:Disabled:distributer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Ateksoft\\WebCamera Plus\\WebCamPlusSrv.exe"="C:\\Program Files\\Ateksoft\\WebCamera Plus\\WebCamPlusSrv.exe:*:Enabled:WebCamera Plus Service"
"C:\\Program Files\\Ateksoft\\WebCamera Plus\\camviewer.exe"="C:\\Program Files\\Ateksoft\\WebCamera Plus\\camviewer.exe:*:Enabled:WebCamera Plus"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :

Files with Hidden Attributes :

Tue 30 Oct 2007 211 A.SH. --- "C:\BOOT.BAK"
Wed 31 Oct 2007 88 ..SHR --- "C:\WINDOWS\system32\6EF445DB58.sys"
Wed 11 Jun 2008 2,410 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 11 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 2 Oct 2006 50,280 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:36 PM, on 6/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\TVHarmony\AutoPilot.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TVHarmony AutoPilot.lnk = C:\Program Files\TVHarmony\AutoPilot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193764981687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Web\Act.Scheduler.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14430 bytes


Thanks a lot for the help, Billy.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:13 AM

Posted 11 June 2008 - 03:06 PM

Hello, Lawrencep.

Thanks a lot for the help, Billy.

No problem :thumbsup:

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    C:\WINDOWS\system32\mybhkjrr.dll
    C:\WINDOWS\system32\wgayanlc.dll
    C:\WINDOWS\system32\ximrnxjk.dll
    C:\WINDOWS\system32\lobpbync.dll
    C:\WINDOWS\system32\ysxsuavk.dll
    C:\WINDOWS\system32\ijsabbyw.dll
    C:\WINDOWS\system32\uaqmisry.dll
    C:\WINDOWS\system32\tebclfpc.dll
    C:\WINDOWS\system32\ijsabbyw.dll
    C:\WINDOWS\system32\tebclfpc.dll
    
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5233FCD-D258-4903-89B8-FB1568E7413D}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6F431AC3-364A-478b-BBDB-89C7CE1B18F6}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{AE7CD045-E861-484f-8273-0445EE161910}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{D5233FCD-D258-4903-89B8-FB1568E7413D}]
    
    [-HKEY_CLASSES_ROOT\CLSID\{6F431AC3-364A-478b-BBDB-89C7CE1B18F6}]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please reply with the ComboFix log, as well as a new HiJack This log.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 11 June 2008 - 07:21 PM

As requested--

ComboFix
ComboFix 08-06-10.5 - Patrick Lawrence 2008-06-11 19:35:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.455 [GMT -4:00]
Running from: C:\Documents and Settings\Patrick Lawrence\Desktop\Malware Repair Utilities\ComboFix.exe
Command switches used :: C:\Documents and Settings\Patrick Lawrence\Desktop\Malware Repair Utilities\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ijsabbyw.dll
C:\WINDOWS\system32\lobpbync.dll
C:\WINDOWS\system32\mybhkjrr.dll
C:\WINDOWS\system32\tebclfpc.dll
C:\WINDOWS\system32\uaqmisry.dll
C:\WINDOWS\system32\wgayanlc.dll
C:\WINDOWS\system32\ximrnxjk.dll
C:\WINDOWS\system32\ysxsuavk.dll
.

((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
.

2008-06-11 13:47 . 2008-06-11 13:48 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-11 13:40 . 2008-06-11 14:04 <DIR> d-------- C:\SDFix
2008-06-10 13:26 . 2008-06-10 13:26 <DIR> d-------- C:\Program Files\Auslogics
2008-06-10 13:26 . 2008-06-10 13:26 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Auslogics
2008-06-10 13:06 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 13:02 . 2008-04-14 08:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 11:02 . 2008-06-10 11:02 <DIR> d-------- C:\Program Files\NDAS
2008-06-10 11:02 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-06-10 11:02 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-06-10 10:59 . 2008-06-10 11:01 <DIR> d-------- C:\cool
2008-06-10 10:59 . 1997-04-29 08:06 140,288 --a------ C:\WINDOWS\system32\ra3214_4.dll
2008-06-10 10:59 . 1997-05-01 15:01 127,023 --a------ C:\WINDOWS\c96unins.exe
2008-06-10 10:59 . 1997-04-29 08:06 90,624 --a------ C:\WINDOWS\system32\pnc32301.dll
2008-06-10 10:59 . 1997-04-29 08:06 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2008-06-10 10:59 . 1997-04-29 08:06 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2008-06-10 10:59 . 1997-04-29 08:06 13,824 --a------ C:\WINDOWS\system32\ra32dnet.dll
2008-06-09 11:24 . 2008-06-10 11:01 3,817 --a------ C:\WINDOWS\COOL.INI
2008-06-06 13:28 . 2008-06-06 13:28 8,354 --a------ C:\ExpStmtNew.snp
2008-06-06 05:58 . 2008-06-06 05:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogMeIn
2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\Malwarebytes
2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-04 15:29 . 2008-06-04 15:29 <DIR> d-------- C:\Deckard
2008-06-04 14:09 . 2008-06-04 14:09 0 --a------ C:\WINDOWS\BMbba5134a.xml
2008-06-04 09:52 . 2008-06-04 09:52 164 --a------ C:\install.dat
2008-06-04 09:17 . 2008-06-04 09:17 <DIR> d-------- C:\VundoFix Backups
2008-06-04 08:06 . 2008-06-04 08:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-04 08:06 . 2008-06-04 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 23:13 . 2008-05-31 23:13 <DIR> d-------- C:\Program Files\Defraggler
2008-05-31 20:59 . 2008-05-31 20:59 <DIR> d-------- C:\Program Files\CCleaner
2008-05-31 20:56 . 2008-06-11 14:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-31 20:56 . 2008-06-11 14:20 <DIR> d-------- C:\Documents and Settings\Patrick Lawrence\Application Data\SUPERAntiSpyware.com
2008-05-31 20:56 . 2008-05-31 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-30 15:05 . 2008-05-31 20:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 15:05 . 2008-05-31 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 15:24 . 2008-06-02 10:05 <DIR> dr-h----- C:\$VAULT$.AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 18:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 12:15 2,410 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-11 12:00 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\AVG7
2008-06-11 11:20 --------- d-----w C:\Program Files\LogMeIn
2008-06-10 18:03 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\WeatherBug
2008-06-10 14:10 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\LimeWire
2008-06-05 19:59 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\FileZilla
2008-06-05 17:56 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\ieSpell
2008-06-04 11:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-30 13:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-19 19:24 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-05-19 19:23 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-05-19 19:23 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-05-19 19:23 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-05-19 19:23 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2008-05-12 15:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-12 15:57 --------- d-----w C:\Documents and Settings\Patrick Lawrence\Application Data\AdobeUM
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 14:20 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 14:14 --------- d-----w C:\Program Files\FileZilla Client
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 19:04 --------- d-----w C:\Program Files\LimeWire
2008-04-17 01:05 --------- d-----w C:\Program Files\ieSpell
2008-04-14 12:30 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2007-10-31 13:32 88 --sh--r C:\WINDOWS\system32\6EF445DB58.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-11_13.34.03.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-11 17:28:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 18:22:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-11 06:07:53 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-11 17:48:36 8,830,976 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-11 17:48:36 360,448 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-11 06:07:53 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-11 17:48:07 8,830,976 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-11 17:48:08 360,448 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-06-11 17:28:50 225,927 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-11 18:23:47 225,932 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-06-10 19:59:32 123,944 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-11 18:27:06 123,944 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 19:59:32 587,228 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-11 18:27:06 587,228 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-11 18:22:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_518.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2007-08-23 19:31 1343488]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-22 08:51 160592]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-09-25 11:33 1195008]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2007-09-25 11:34 384000]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-09-25 11:35 1495040]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [2008-04-13 20:12 33280 C:\WINDOWS\system32\rundll32.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 18:07 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-14 18:04 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 18:08 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 15:19 282624 C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-12 22:34 286720]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-11-07 06:20 122940]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29 49152]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 16:09 63048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 08:57 579584]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-21 00:09 219136]

C:\Documents and Settings\Patrick Lawrence\Start Menu\Programs\Startup\
TVHarmony AutoPilot.lnk - C:\Program Files\TVHarmony\AutoPilot.exe [2007-09-16 12:17:03 1146880]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20 73728]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.mjpg"= mcmjpg32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nortel\\Extranet.exe"=
"C:\\Program Files\\ACT\\Act for Web\\ActSage.exe"=
"C:\\RBMSuite\\sys\\Mtdbmgr.exe"=
"C:\\RBMSuite\\sys\\netadmin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\TVHarmony\\AutoPilot.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\PcHelpWare\\repeater\\phw_repeater.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Ateksoft\\WebCamera Plus\\WebCamPlusSrv.exe"=
"C:\\Program Files\\Ateksoft\\WebCamera Plus\\camviewer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2047:TCP"= 2047:TCP:WebCameraPlus

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R2 MSSQL$ACT7;SQL Server (ACT7);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7 []
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service []
R2 Webcamera Plus Service;Webcamera Plus Service;C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe [2007-12-25 11:06]
R3 AteksoftAudio;WebCamera Plus Audio;C:\WINDOWS\system32\drivers\ateksoftaudio.sys [2007-12-25 11:06]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-01-09 12:53]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-02-05 11:49]
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2002-01-09 12:53]
S3 ACT! Scheduler;ACT! Scheduler;"C:\Program Files\ACT\ACT for Web\Act.Scheduler.exe" [2007-10-31 09:01]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-02-14 17:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d94a344-a8e4-11dc-a6fe-0016418b4627}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acce3a70-eeda-11dc-a743-0015c541e3a3}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acce3a71-eeda-11dc-a743-0015c541e3a3}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 14:51:26 C:\WINDOWS\Tasks\SyncBack Nightly Backup.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
"2008-06-09 11:00:06 C:\WINDOWS\Tasks\SyncBack Update ISO Quality Service Tech.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe%-m
"2008-06-11 21:01:41 C:\WINDOWS\Tasks\SyncBack Update My ISO.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
"2008-06-11 23:32:04 C:\WINDOWS\Tasks\User_Feed_Synchronization-{88DA1DC7-CD28-4BB5-9480-4255B69FA2D4}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-11 19:37:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-11 19:38:40
ComboFix-quarantined-files.txt 2008-06-11 23:38:36
ComboFix2.txt 2008-06-11 17:34:21

Pre-Run: 17,836,408,832 bytes free
Post-Run: 17,826,877,440 bytes free

291 --- E O F --- 2008-06-10 17:17:07


HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:50 PM, on 6/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\TVHarmony\AutoPilot.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TVHarmony AutoPilot.lnk = C:\Program Files\TVHarmony\AutoPilot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193764981687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Web\Act.Scheduler.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13497 bytes

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:13 AM

Posted 12 June 2008 - 12:17 PM

Hello again, Lawrencep

You appear to have Weather Bug installed
The free version of Weather Bug is generally considered to be adware. As such, it is up to you whether you wish to remove it or leave it installed. The information here and here may help you decide. If you wish to uninstall this: First, right click the WeatherBug icon in the systray and disable it, then go to Add/Remove Programs and uninstall from there.

You have a Peer-To-Peer program installed.
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Limewire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

You appear to have Remote Control application(s) installed
In your case, this is refering to:
  • LogMeIn
  • PcHelpWare
Remote control programs allow complete control of your machine as if you are sitting in front of it, even if you are in some distant location. While this can be a good thing, we need to make sure that this software was installed for a benign purpose, and not for a malicious one. If an attacker installed one of these programs, it would allow them to remotely control your computer, steal critical system information and download and execute files.

If you have this application installed on purpose, than you can safely ignore this warning. But if you didn't install these applications, please remove them from Add/Remove Programs now.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe
  • Follow the on screen instructions to install the latest Java version.
I would like to check our work.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Please reply with the ESET scan, as well as a new HJT log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 12 June 2008 - 02:39 PM

I'm ok with WeatherBug. I removed LimeWire. PCHelpWare and LogMeIn were both installed on purpose. LogMeIn works great from my phone. JRE6 is now installed.

ESET Log
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3181 (20080612)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=8abc2cc7dc498246b07a2436fe872781
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-06-12 08:30:13
# local_time=2008-06-12 04:30:13 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=341708
# found=0
# scan_time=2578

HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:36 PM, on 6/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TVHarmony AutoPilot.lnk = C:\Program Files\TVHarmony\AutoPilot.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193764981687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - C:\Program Files\ACT\ACT for Web\Act.Scheduler.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Webcamera Plus Service - Ateksoft Company Ltd. - C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13317 bytes

Edited by lawrencep, 12 June 2008 - 03:32 PM.


#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:13 AM

Posted 12 June 2008 - 07:05 PM

Hello again, Lawrencep, you now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "Vundo, Trojan-Downloader.Win32.Agent.keu "

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!

  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.

  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.

  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.

  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.

  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 lawrencep

lawrencep
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 14 June 2008 - 07:46 AM

Billy,

ComboFix is removed--how about the recovery console? Does that need to be removed? I guess I can change the time to select an OS (when it boots) from 30 sec to 2 sec or something.

Not too impressed with Secunia--it keeps nagging me with false alarms on a few pieces of software.

Spybot S&D is installed. I'm vaccinated, innoculated and percolated.

On point 9, I guess you saw that I'm running AVG--it updates daily and is supposedly ever-watching. I'm not sure why it didn't pick up on a trojan that's been around a while. I'm pretty sure I got this from codecs.exe.

Thanks again for all the help. I'll try to be more careful out there.

Patrick

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:13 AM

Posted 14 June 2008 - 07:48 AM

Hello.

ComboFix is removed--how about the recovery console? Does that need to be removed? I guess I can change the time to select an OS (when it boots) from 30 sec to 2 sec or something.

The console is always useful to have lying around :thumbsup:

Thanks again for all the help. I'll try to be more careful out there.

Your welcome, and Good ;)

Have a nice day,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:01:13 PM

Posted 16 June 2008 - 06:43 PM

As this issue seems to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
For all others, if you have a similar issue please start a new topic.

Thanks for asking in BleepingComputer.com

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users