Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Trojan-downloader.win32.vb.euf & Others


  • Please log in to reply
1 reply to this topic

#1 theal

theal

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 09 June 2008 - 09:39 AM

Hi,
I run a wrong executable & got infected with several viruses.
My ESET AV picked up few (bellow) but not all.

I tried several things including ComboFix but it looks like virus is still there.


I'm listing bellow ESET, Kaspersky and HijackThis (attached) logs.

Any help would be greatly appreciated.

ESET detected viruses:

On-demand:
C:\System Volume Information\_restore{75D3E97B-67EB-4914-8DDA-C497C2910F3F}\RP9\A0004571.exe - Win32/TrojanDownloader.Agent.PLZ trojan - cleaned by deleting - quarantined [1]
C:\...\dtsc\31194.exe - Win32/TrojanDownloader.Agent.PLZ trojan - cleaned by deleting - quarantined [1]


Active live malware links removed.


HJT log inserted.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:24 AM, on 6/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Security\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Security\HIJACK~1\USER.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Internet\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\Utils\MACROE~1\iCapture.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Utils\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Utils\AI RoboForm\roboform.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\Security\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Security\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: FolderMirror.lnk = C:\Program Files\Chapura\FolderMirror\FolderMirror.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Trillian.lnk = C:\Program Files\Internet\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\Hardware\APC PowerChute Personal Edition\Display.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Logo Calibration Loader.lnk.disabled
O4 - Global Startup: ProfileReminder.lnk.disabled
O4 - Global Startup: SpectraView II Gamma Loader.lnk = C:\Program Files\NEC DISPLAY SOLUTIONS\SpectraView II\SpectraView.exe
O4 - Global Startup: Spyder3Utility.lnk.disabled
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Utils\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Utils\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Utils\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Internet\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\Internet\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\Internet\COPERN~1\COPERN~1.DLL
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Security\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Utils\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Utils\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Utils\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Utils\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Utils\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Utils\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Internet\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Internet\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Security\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.tdameritrade.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://meeting.usa.canon.com/qp2.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehosts.net/netagent/objects/custappx3.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://appserver.dca.broadvoice.com/commpi...s/BwOutlook.CAB
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1199039520484
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1120079971328
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://upload.vkontakte.ru/uploader/ImageUploader4.cab
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (Surgient URA Remote Desktop Client) - https://mscrm.demoservers.com/proxy/srdp.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/A...eX/FileXfer.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/T23L/webex/ieatgpc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDCEA88A-DE76-4F37-ACF7-CCC151EAFCDC}: NameServer = 151.202.0.84,151.202.0.85
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\Hardware\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Security\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\Security\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\Security\ESET Smart Security\ekrn.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\Utilities\TightVNC\WinVNC.exe

--
End of file - 16235 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\Security\HIJACK~1\backups\) -----------

backup-20040706-173142-797 O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
backup-20080605-233146-450 O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\efcBtqOi.dll
backup-20080605-233603-342 O2 - BHO: (no name) - {8A3825BD-0616-40AC-8435-7F000F9DA916} - C:\WINDOWS\system32\mlJcBqnK.dll (file missing)
backup-20080605-233603-562 O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\efcBtqOi.dll
backup-20080605-233603-737 O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - C:\WINDOWS\TinyBHO.dll
backup-20080605-233603-866 O20 - Winlogon Notify: efcBtqOi - C:\WINDOWS\SYSTEM32\efcBtqOi.dll
backup-20080605-234014-357 O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
backup-20080605-234014-855 O20 - Winlogon Notify: efcBtqOi - C:\WINDOWS\SYSTEM32\efcBtqOi.dll
backup-20080605-234014-876 O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
backup-20080605-234032-694 O20 - Winlogon Notify: efcBtqOi - C:\WINDOWS\SYSTEM32\efcBtqOi.dll
backup-20080605-235812-668 O20 - Winlogon Notify: efcBtqOi - efcBtqOi.dll (file missing)
backup-20080605-235851-937 O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\efcBtqOi.dll (file missing)
backup-20080606-225650-293 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080606-225650-334 O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
backup-20080606-225650-645 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
backup-20080606-225650-665 O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
backup-20080606-225650-677 O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk.disabled
backup-20080606-225650-855 O4 - HKLM\..\Run: [HPSJ5 Polling Driver] C:\HARDWARE\SCNJET5S\hpsjpl32.exe
backup-20080606-225653-456 O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://216.173.38.12/tsweb/msrdp.cab
backup-20080606-225653-570 O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
backup-20080606-230238-269 O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\Hardware\ATI Control Panel\atiptaxx.exe
backup-20080606-230238-492 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S1 CorexCardScan (CardScan USB Scanner) - c:\windows\system32\drivers\slcorex.sys (file missing)
S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S1 mbmiodrvr - c:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows ® 2000 DDK driver>
S1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
S1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
S1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
S2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
S2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
S2 PDIHWCTL - c:\windows\system32\drivers\pdihwctl.sys <Not Verified; Portrait Displays, Inc.; PdiHwCtl>
S2 SkParCls - c:\windows\system32\drivers\skparcls.sys <Not Verified; Silitek Corporation.; >
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 EL90XBC (3Com 3C90X-BC Family PCI EtherLink Adapter) - c:\windows\system32\drivers\el90xbc5.sys (file missing)
S3 EraserUtilDrvI4 - c:\program files\common files\symantec shared\eengine\eraserutildrvi4.sys (file missing)
S3 hplto - c:\windows\system32\drivers\hplto.sys <Not Verified; Hewlett-Packard; HPLTO™>
S3 NDSPCIIO - c:\windows\system32\drivers\ndspciio.sys <Not Verified; Licensed for NEC-DS, Ltd.; NDSPCIIO Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 pnetcom (PdaNet Port Service) - c:\windows\system32\drivers\pnetcom.sys <Not Verified; June Fabrics PDA Technology Group; pnetcom>
S3 pnetmdm (PdaNet Modem) - c:\windows\system32\drivers\pnetmdm.sys <Not Verified; JuneFabrics; PdaNet Driver>
S3 PSI - c:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S2 BRA_Scheduler (Brother BRAdminPro Scheduler) - c:\program files\brother\bradmin professional 3\bratimer.exe
S2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
S2 EpsonBidirectionalService - c:\program files\common files\epson\ebapi\eebsvc.exe <Not Verified; SEIKO EPSON CORPORATION; Enhanced EPSON Bi-directional API>
S2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>
S3 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
S3 winvnc (VNC Server) - "c:\program files\utilities\tightvnc\winvnc.exe" -service <Not Verified; TightVNC Group; TightVNC Win32 Server>
S4 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 CA_LIC_CLNT (CA License Client) - c:\ca_lic\lic98rmt.exe <Not Verified; Computer Associates International Inc.; Lic98>
S4 CA_LIC_SRVR (CA License Server) - c:\ca_lic\lic98rmtd.exe <Not Verified; Computer Associates International Inc.; Lic98>
S4 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S4 DNSerSvc (Dynamic DNS Updater) - c:\windows\dnsersvc.exe <Not Verified; Access, Slovenia; DNSer>
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 Kiwi Syslog Daemon - c:\program files\utils\kiwisyslog\syslogd_service.exe <Not Verified; Kiwi Enterprises; Kiwi Syslog Daemon>
S4 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S4 LogWatch (Event Log Watch) - c:\ca_lic\logwatnt.exe <Not Verified; Computer Associates; Computer Associates LogWatNT>
S4 wfxsvc (WinFax PRO) - c:\windows\system32\wfxsvc.exe <Not Verified; Symantec Corporation; Symantec WinFax PRO>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Datacolor Spyder3
Device ID: USB\VID_085C&PID_0300\5&2BB26B6B&0&2
Manufacturer: Datacolor
Name: Datacolor Spyder3
PNP Device ID: USB\VID_085C&PID_0300\5&2BB26B6B&0&2
Service: Spyder3


-- Scheduled Tasks -------------------------------------------------------------

2008-06-09 09:10:26 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-07 15:47:22 426 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{EE743B65-903C-4247-BDEC-F66CD3B6D0CB}.job
2008-06-07 08:00:38 409 --a------ C:\WINDOWS\Tasks\2 Copernic Daily ~COMPUTER USER.job
2008-06-03 02:03:00 258 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-06-02 09:00:31 414 --a------ C:\WINDOWS\Tasks\3 Copernic Weekly ~COMPUTER USER.job
2008-06-01 17:15:51 312 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-06-01 10:00:06 419 --a------ C:\WINDOWS\Tasks\4 Copernic Monthly ~COMPUTER USER.job
2008-05-31 03:28:58 236 --a------ C:\WINDOWS\Tasks\Defragmenter.job
2008-05-29 02:37:23 433 --a------ C:\WINDOWS\Tasks\1 Copernic Intra-Daily ~COMPUTER USER.job
2007-06-03 20:22:16 284 -----n--- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-07 15:52:04 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-07 15:52:04 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-07 15:50:31 3616 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-07 15:50:31 1943584 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-07 15:50:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-07 15:48:53 0 d-------- C:\tempkav7
2008-06-07 10:37:05 0 d-------- C:\Documents and Settings\USER\dwhelper
2008-06-07 00:12:22 0 d-------- C:\NVIDIA
2008-06-06 23:54:43 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-06 23:26:00 0 d-------- C:\Program Files\NEC DISPLAY SOLUTIONS
2008-06-06 22:01:30 0 d-------- C:\Documents and Settings\USER\.housecall6.6
2008-06-06 10:56:18 0 d-------- C:\WINDOWS\Prefetch
2008-06-06 10:35:54 0 d-------- C:\WINDOWS\system32\scripting
2008-06-06 10:35:52 0 d-------- C:\WINDOWS\l2schemas
2008-06-06 10:35:51 0 d-------- C:\WINDOWS\system32\en
2008-06-06 09:41:37 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-06 00:38:31 0 d-------- C:\TEMP
2008-06-06 00:26:18 0 d-------- C:\cmdcons
2008-06-06 00:24:57 68096 --a------ C:\WINDOWS\zip.exe
2008-06-06 00:24:57 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-06 00:24:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-06 00:24:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-06 00:24:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-06 00:24:57 98816 --a------ C:\WINDOWS\sed.exe
2008-06-06 00:24:57 80412 --a------ C:\WINDOWS\grep.exe
2008-06-06 00:24:57 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-04 22:20:43 0 d-------- C:\Documents and Settings\USER\Application Data\HouseCall 6.6
2008-06-04 18:44:05 0 d-------- C:\Virus
2008-05-26 16:53:07 0 d-------- C:\Program Files\Datacolor
2008-05-26 12:13:57 0 d-------- C:\Documents and Settings\USER\Application Data\Talkback
2008-05-12 09:40:43 352256 --a------ C:\WINDOWS\esellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-05-09 08:40:22 0 d-------- C:\Documents and Settings\USER\Application Data\Windows Search


-- Find3M Report ---------------------------------------------------------------

2008-06-09 09:01:44 0 d-------- C:\Program Files\Security
2008-06-07 15:47:24 256 --a------ C:\WINDOWS\system32\pool.bin
2008-06-07 10:02:57 0 d-------- C:\Documents and Settings\USER\Application Data\uTorrent
2008-06-06 23:42:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-06 10:36:31 0 d-------- C:\Program Files\Messenger
2008-06-06 10:35:50 0 d-------- C:\Program Files\Movie Maker
2008-06-06 10:28:02 0 d-------- C:\Program Files\Windows NT
2008-06-06 09:53:10 0 d-------- C:\Documents and Settings\USER\Application Data\Move Networks
2008-06-06 09:42:14 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-06 07:41:51 0 d-------- C:\Program Files\Common Files\efax
2008-06-04 21:53:30 0 d-------- C:\Program Files\Plaxo
2008-06-04 16:50:53 0 d-------- C:\Documents and Settings\USER\Application Data\RiskData
2008-06-02 20:18:30 34 --a------ C:\WINDOWS\system32\BD5250DN.DAT
2008-06-01 18:49:06 0 d-------- C:\Program Files\Utilities
2008-05-29 01:50:07 0 d-------- C:\Documents and Settings\USER\Application Data\ZoomBrowser EX
2008-05-28 13:12:00 0 d-------- C:\Program Files\Hardware
2008-05-26 16:06:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-26 16:06:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-26 16:06:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-26 16:06:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-26 16:06:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-26 16:06:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-26 16:06:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-26 16:06:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-05-26 12:11:50 0 d-------- C:\Documents and Settings\USER\Application Data\Mozilla
2008-05-25 11:15:42 2836 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-20 08:17:52 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-13 10:02:30 0 d-------- C:\Documents and Settings\USER\Application Data\webex
2008-05-09 08:51:21 0 d-------- C:\Program Files\myTrack
2008-05-06 08:27:02 0 d-------- C:\Documents and Settings\USER\Application Data\Adobe
2008-05-03 17:45:36 0 d-------- C:\Program Files\Canon
2008-04-30 00:20:06 0 d-------- C:\Documents and Settings\USER\Application Data\Skype
2008-04-30 00:19:02 0 d-------- C:\Documents and Settings\USER\Application Data\skypePM
2008-04-30 00:02:19 0 d-------- C:\Documents and Settings\USER\Application Data\Windows Desktop Search
2008-04-29 11:29:08 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-28 09:43:12 0 d-------- C:\Documents and Settings\USER\Application Data\Blackberry Desktop
2008-04-28 09:42:01 0 d-------- C:\Program Files\BlackBerry
2008-04-27 22:44:24 0 d-------- C:\Program Files\uTorrent
2008-04-27 19:45:21 0 d-------- C:\Documents and Settings\USER\Application Data\Wireshark
2008-04-27 19:43:14 0 d-------- C:\Program Files\WinPcap
2008-04-27 19:31:58 0 d-------- C:\Program Files\Utils
2008-04-27 18:27:27 0 d-------- C:\Program Files\Brother
2008-04-27 18:16:04 0 d-------- C:\Program Files\Multimedia
2008-04-27 18:06:08 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-04-27 18:05:30 0 d-------- C:\Program Files\Roxio
2008-04-27 18:03:49 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-04-26 12:29:31 0 d-------- C:\Program Files\Java
2008-04-14 21:31:19 0 d-------- C:\Documents and Settings\USER\Application Data\Intuit
2008-04-14 21:27:06 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-14 21:23:56 0 d-------- C:\Program Files\TurboTax
2008-04-03 09:55:14 165 --a------ C:\WINDOWS\Defragmenter.bat
2008-03-31 17:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 17:25:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-03-31 17:25:46 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-03-31 17:25:46 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 17:25:46 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-03-22 19:51:28 313 --a------ C:\Program Files\INSTALL.LOG
2008-03-21 16:30:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 16:28:54 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-03-21 16:28:54 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-03-21 16:28:20 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\Security\ESET Smart Security\egui.exe" [04/23/2008 02:57 PM]
"nwiz"="nwiz.exe" [05/26/2008 04:06 PM C:\Windows\system32\nwiz.exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 05:33 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 01:01 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [10/03/2007 04:44 PM]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [03/19/2002 06:30 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/26/2008 04:06 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/26/2008 04:06 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/22/2005 05:20 PM C:\Windows\stsystra.exe]
"AVP"="C:\Program Files\Security\Kaspersky Anti-Virus 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/14/2008 05:42 AM]

C:\Documents and Settings\USER\Start Menu\Programs\Startup\
FolderMirror.lnk - C:\Program Files\Chapura\FolderMirror\FolderMirror.exe [1/21/2008 10:42:59 PM]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [8/24/2007 5:45:42 AM]
Trillian.lnk - C:\Program Files\Internet\Trillian\trillian.exe [12/11/2007 1:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [4/13/2006 1:26:02 PM]
APC UPS Status.lnk - C:\Program Files\Hardware\APC PowerChute Personal Edition\Display.exe [12/7/2004 10:54:40 AM]
Desktop Manager.lnk - C:\Program Files\BlackBerry\DesktopMgr.exe [11/12/2007 2:22:04 PM]
Logo Calibration Loader.lnk.disabled [5/21/2008 11:54:02 PM]
ProfileReminder.lnk.disabled [5/21/2008 11:54:02 PM]
SpectraView II Gamma Loader.lnk - C:\Program Files\NEC DISPLAY SOLUTIONS\SpectraView II\SpectraView.exe [2/27/2008 9:05:56 AM]
Spyder3Utility.lnk.disabled [5/26/2008 5:04:28 PM]
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2/5/2007 3:40:46 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [03/25/2008 05:56 AM 303616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^USER^Start Menu^Programs^Startup^Kiwi Syslog Daemon.lnk]
path=C:\Documents and Settings\USER\Start Menu\Programs\Startup\Kiwi Syslog Daemon.lnk
backup=C:\WINDOWS\pss\Kiwi Syslog Daemon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZAGAT TO GO Manager.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZAGAT TO GO Manager.lnk.disabled
backup=C:\WINDOWS\pss\ZAGAT TO GO Manager.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScan AutoSync]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G4G]
C:\WINDOWS\h8907435.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Installer]
C:\Documents and Settings\USER\Application Data\Microsoft\dtsc\31194.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
C:\HARDWARE\SCNJET5S\hpsjpl32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\program files\multimedia\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"C:\Program Files\Utilities\TightVNC\WinVNC.exe" -servicehelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fix-It Task Manager"=3 (0x3)
"CA_LIC_SRVR"=3 (0x3)
"CA_LIC_CLNT"=3 (0x3)
"LogWatch"=2 (0x2)
"wfxsvc"=3 (0x3)
"AdobeActiveFileMonitor"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"PhotoshopElementsDeviceConnect"=2 (0x2)
"Kiwi Syslog Daemon"=3 (0x3)
"LVSrvLauncher"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"MsSecurity1.209.4"=2 (0x2)
"LVCOMSer"=3 (0x3)
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)
"LiveUpdate"=3 (0x3)
"CLTNetCnService"=3 (0x3)
"Automatic LiveUpdate Scheduler"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"SNMPTRAP"=3 (0x3)
"SNMP"=2 (0x2)
"seclogon"=2 (0x2)
"r_server"=3 (0x3)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"mnmsrvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ink Monitor"=C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
"EPSON Stylus Photo R220 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"DellTouch"=C:\WINDOWS\DELLMMKB.EXE
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SpybotSnD"="C:\Program Files\Security\Spybot - Search & Destroy\SpybotSD.exe" /autofix /autoclose /waitstart

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e56db049-b6c9-11dc-8a83-806d6172696f}]
AutoRun\command- F:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-06-09 09:15:51 ------------



KASPERSKY detection:
2008-06-09 02:31:01 C:\Program Files\Security\HijackThis\backups\backup-20080605-233146-450.dll detected not-a-virus:AdWare.Win32.Virtumonde.rcq
2008-06-09 02:31:15 C:\Program Files\Security\HijackThis\backups\backup-20080605-233146-450.dll was deleted
2008-06-09 02:31:15 C:\Program Files\Security\HijackThis\backups\backup-20080605-233603-562.dll detected not-a-virus:AdWare.Win32.Virtumonde.rcq
2008-06-09 02:31:15 C:\Program Files\Security\HijackThis\backups\backup-20080605-233603-562.dll was deleted
2008-06-09 02:31:15 C:\Program Files\Security\HijackThis\backups\backup-20080605-233603-737.dll detected not-a-virus:AdWare.Win32.BHO.bji
2008-06-09 02:31:15 C:\Program Files\Security\HijackThis\backups\backup-20080605-233603-737.dll was deleted
2008-06-09 02:41:40 C:\Virus\Posible Viruses creted by Torrent\h8907435.exe detected Trojan-Downloader.Win32.VB.euf
2008-06-09 02:41:40 C:\Virus\Posible Viruses creted by Torrent\h8907435.exe was deleted
2008-06-09 02:41:40 C:\Virus\Posible Viruses creted by Torrent\MLJCBQNK.DLL detected Win32/Adware.Virtumonde.FP application
2008-06-09 02:41:40 C:\Virus\Posible Viruses creted by Torrent\MLJCBQNK.DLL was deleted

Thanks in advance,
Al

Attached Files


Edited by Cretemonster, 11 June 2008 - 08:37 AM.


BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 June 2008 - 08:39 AM

Hi and Welcome to the forums.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users