Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Help


  • This topic is locked This topic is locked
17 replies to this topic

#1 DD_2

DD_2

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 25 July 2008 - 04:28 AM

I have a machine where the user stupidly opened an email attachment.
Now the computer gives alerts when you try to open files saying that the PC is infected, windows is corupt and to download AntiVirusXP2008.

Here is the dss.log and kapersky log

Deckard's System Scanner v20071014.68
Run by david on 2008-07-25 09:32:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-07-25 08:32:42 UTC - RP475 - Deckard's System Scanner Restore Point
4: 2008-07-24 19:55:08 UTC - RP474 - System Checkpoint
3: 2008-07-23 14:54:07 UTC - RP473 - System Checkpoint
2: 2008-07-22 13:21:29 UTC - RP472 - System Checkpoint
1: 2008-07-20 18:48:16 UTC - RP471 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as david.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:34, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Documents and Settings\david.DATACRAFT\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\david.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-computers.co.uk/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: search toolbar - {7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6} - C:\WINDOWS\system32\tbrsch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BackgroundScheduler] C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datacraft.local
O17 - HKLM\Software\..\Telephony: DomainName = datacraft.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datacraft.local
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DHSMail - Datacraft Design Ltd. - C:\Program Files\dhs\programs\DHSMailSrvc.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

--
End of file - 11174 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Aptana\aptana_file.ico,0
.js - JSFile - shell\open\command - "C:\Program Files\Aptana\aptana.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S0 Ili20 - c:\windows\system32\drivers\ili20.sys (file missing)
S0 Sfs46 - c:\windows\system32\drivers\sfs46.sys (file missing)
S0 xxD60 - c:\windows\system32\drivers\xxd60.sys (file missing)
S3 COAX - c:\windows\system32\drivers\coax.sys
S3 RMBS - c:\windows\system32\drivers\rmbs.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\apps\powercinema\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\apps\powercinema\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 CyberLink Media Library Service - "c:\program files\cyberlink\shared files\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
R2 GenericHidService (Generic Service for HID Keyboard Input Collections) - c:\apps\hidservice\hidservice.exe
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 DHSMail - c:\program files\dhs\programs\dhsmailsrvc.exe <Not Verified; Datacraft Design Ltd.; Mailer Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-22 13:11:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-21 06:52:37 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-21 06:52:37 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-21 06:51:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-07-21 06:51:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-21 06:51:50 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-20 13:14:37 17920 --a------ C:\WINDOWS\system32\tbrsch.dll
2008-07-11 17:50:48 0 d-------- C:\Program Files\Trend Micro
2008-07-11 09:07:49 0 d-------- C:\quarantine
2008-07-11 09:06:10 68096 --a------ C:\WINDOWS\zip.exe
2008-07-11 09:06:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-11 09:06:10 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 09:06:10 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 09:06:10 98816 --a------ C:\WINDOWS\sed.exe
2008-07-11 09:06:10 80412 --a------ C:\WINDOWS\grep.exe
2008-07-11 09:06:10 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-11 09:06:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-09 16:15:32 0 d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\HouseCall 6.6


-- Find3M Report ---------------------------------------------------------------

2008-07-25 09:32:16 0 d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\DNA
2008-07-17 15:26:01 0 d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\AdobeUM
2008-07-08 09:59:19 0 d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\BitTorrent
2008-06-25 13:24:16 0 d-------- C:\Program Files\Aptana
2008-06-25 11:30:03 0 d-------- C:\Program Files\dhs
2008-05-27 09:01:34 0 d-------- C:\Program Files\Sun
2008-05-27 09:01:15 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}]
20/07/2008 13:14 17920 --a------ C:\WINDOWS\system32\tbrsch.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 15:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 15:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 15:00]
"SoundMan"="SOUNDMAN.EXE" [11/11/2005 15:07 C:\WINDOWS\soundman.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 11:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 11:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 11:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [11/05/2005 14:48]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 21:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 04:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 10:48]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [11/07/1997 18:38]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [12/01/2007 17:45]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [20/09/2007 09:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 15:00]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08/05/2008 17:22]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [20/09/2007 15:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [24/10/2003 05:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [08/02/2007 11:56:48]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [20/06/2006 08:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"=3 (0x3)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 12/01/2007 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
AutoRun\command- D:\AutoTransfer.exe

*Newly Created Service* - ENTDRV51



-- End of Deckard's System Scanner: finished at 2008-07-25 09:35:06 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, July 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 23, 2008 08:59:20
Records in database: 996154
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
N:\
Q:\
Y:\
Z:\

Scan statistics:
Files scanned: 272727
Threat name: 10
Infected objects: 15
Suspicious objects: 1
Duration of the scan: 06:11:12


File name / Threat name / Threats count
C:\WINDOWS\system32\tbrsch.dll//PE_Patch.UPX//UPX/C:\WINDOWS\system32\tbrsch.dll//PE_Patch.UPX//UPX Infected: Trojan.Win32.BHO.fby 2
C:\Documents and Settings\david.DATACRAFT\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\Application Data\517045061.exe.vir Infected: Trojan-Downloader.Win32.Mutant.apk 1
C:\QooBox\Quarantine\C\Program Files\IEAntiVirus\antivir.exe.vir Infected: not-a-virus:FraudTool.Win32.IeDefender.dy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphcnfej0ea7l.exe.vir Infected: Trojan-Downloader.Win32.Small.yom 1
C:\WINDOWS\system32\tbrsch.dll Infected: Trojan.Win32.BHO.fby 1
Y:\Qoobox\Quarantine\Y\SHARED\inst_antispy.exe.vir Infected: not-a-virus:Monitor.Win32.Perflogger.a 2
Y:\Qoobox\Quarantine\Y\SHARED\inst_antispy.exe.vir Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.162 1
Y:\Qoobox\Quarantine\Y\SHARED\inst_antispy.exe.vir Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.170 1
Y:\Qoobox\Quarantine\Y\Software\Adobe Acrobat 8.1.0 Professional and Crack\Acrobat Pro 8.1.exe.vir Infected: Trojan.Win32.Monder.gen 1
Z:\Software\RADMIN20.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 4

The selected area was scanned.

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:07:27 PM

Posted 07 August 2008 - 03:10 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Regards
SNOWHITE
Posted Image

#3 DD_2

DD_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 11 August 2008 - 06:17 AM

Attached is the DSS log and the Kaspersky log.
DSS didnt produce an extra.txt log (I ran it twice just to check)


Deckard's System Scanner v20071014.68
Run by david on 2008-08-11 09:47:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as david.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:47, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinAVI Video Converter\WinAVI.exe
C:\Documents and Settings\david.DATACRAFT.000\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\david.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-computers.co.uk/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BackgroundScheduler] C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datacraft.local
O17 - HKLM\Software\..\Telephony: DomainName = datacraft.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datacraft.local
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DHSMail - Datacraft Design Ltd. - C:\Program Files\dhs\programs\DHSMailSrvc.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

--
End of file - 11153 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-08 08:57:32 0 d-------- C:\Program Files\FreeUndelete
2008-08-05 12:55:17 0 d-------- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Nero
2008-08-05 12:55:02 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\Favorites
2008-08-05 12:55:02 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\Desktop
2008-08-05 12:55:02 0 d--hs---- C:\Documents and Settings\david.DATACRAFT.0001\Cookies
2008-08-05 12:55:02 0 dr-h----- C:\Documents and Settings\david.DATACRAFT.0001\Application Data
2008-08-05 12:55:02 0 d---s---- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Microsoft
2008-08-05 12:55:02 0 d-------- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Macromedia
2008-08-05 12:55:02 0 d-------- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Identities
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\Templates
2008-08-05 12:55:01 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\Start Menu
2008-08-05 12:55:01 0 dr-h----- C:\Documents and Settings\david.DATACRAFT.0001\SendTo
2008-08-05 12:55:01 0 dr-h----- C:\Documents and Settings\david.DATACRAFT.0001\Recent
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\PrintHood
2008-08-05 12:55:01 1572864 --ah----- C:\Documents and Settings\david.DATACRAFT.0001\NTUSER.DAT
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\NetHood
2008-08-05 12:55:01 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\My Documents
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\Local Settings
2008-08-05 12:53:30 0 d-------- C:\Documents and Settings\Administrator.DATACRAFT\Application Data\Nero
2008-08-05 12:25:22 0 d-------- C:\Documents and Settings\david\Application Data\Nero
2008-07-22 13:11:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-21 06:52:37 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-21 06:52:37 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-21 06:51:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-07-21 06:51:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-21 06:51:50 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-07-11 17:50:48 0 d-------- C:\Program Files\Trend Micro
2008-07-11 09:07:49 0 d-------- C:\quarantine
2008-07-11 09:06:10 68096 --a------ C:\WINDOWS\zip.exe
2008-07-11 09:06:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-11 09:06:10 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-11 09:06:10 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-11 09:06:10 98816 --a------ C:\WINDOWS\sed.exe
2008-07-11 09:06:10 80412 --a------ C:\WINDOWS\grep.exe
2008-07-11 09:06:10 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-11 09:06:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>


-- Find3M Report ---------------------------------------------------------------

2008-08-11 09:47:12 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\DNA
2008-08-11 09:44:03 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\BitTorrent
2008-08-06 10:56:50 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\AdobeUM
2008-08-05 14:50:07 0 d-------- C:\Program Files\Java
2008-07-10 09:37:00 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\HouseCall 6.6
2008-06-25 13:24:16 0 d-------- C:\Program Files\Aptana
2008-06-25 11:30:03 0 d-------- C:\Program Files\dhs


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 15:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 15:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 15:00]
"SoundMan"="SOUNDMAN.EXE" [11/11/2005 15:07 C:\WINDOWS\soundman.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 11:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 11:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 11:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [11/05/2005 14:48]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 21:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 04:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 10:48]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [11/07/1997 18:38]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [12/01/2007 17:45]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [20/09/2007 09:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 15:00]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08/05/2008 17:22]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [20/09/2007 15:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [24/10/2003 05:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [08/02/2007 11:56:48]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [20/06/2006 08:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"SoftwareSASGeneration"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 12/01/2007 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
AutoRun\command- D:\AutoTransfer.exe

*Newly Created Service* - ENTDRV51



-- End of Deckard's System Scanner: finished at 2008-08-11 09:48:52 ------------




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 10:09:50
Records in database: 1081860
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 68214
Threat name: 3
Infected objects: 2
Suspicious objects: 1
Duration of the scan: 02:07:03


File name / Threat name / Threats count
C:\Documents and Settings\david.DATACRAFT.000\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\david.DATACRAFT.000\Local Settings\Temporary Internet Files\Content.IE5\96SIX20M\index[1].htm Infected: Trojan-Downloader.JS.Agent.ciw 1
C:\QooBox\Quarantine\C\Program Files\IEAntiVirus\antivir.exe.vir Infected: not-a-virus:FraudTool.Win32.IeDefender.dy 1

The selected area was scanned.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 13 August 2008 - 09:54 PM

Hello, DD_2.
You appear to have Remote Control application(s) installed
In your case, this is refering to:
GoToMyPC
Remote control programs allow complete control of your machine as if you are sitting in front of it, even if you are in some distant location. While this can be a good thing, we need to make sure that this software was installed for a benign purpose, and not for a malicious one. If an attacker installed one of these programs, it would allow them to remotely control your computer, steal critical system information and download and execute files.

If you have this application installed on purpose, than you can safely ignore this warning. But if you didn't install these applications, please remove them from Add/Remove Programs now.

This is VERY IMPORTANT!!!

You should not be running ComboFix on your own!!!

ComboFix may have removed the pointers to infection that us helpers use to determine what's going on.

Please post the contents of the following:

C:\ComboFix.txt
C:\qoobox\combofix1.txt
C:\qoobox\combofix2.txt
C:\qoobox\combofix3.txt
C:\qoobox\combofix4.txt
C:\qoobox\combofix5.txt
C:\qoobox\ComboFix-quarantined-files.txt

Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please include the following:
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 DD_2

DD_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 14 August 2008 - 05:05 AM

GoToMyPc is there on purpose, it is a safe VNC solution

ComboFix has not been run

Do you now want me to run ComboFix or not ?

Edited by DD_2, 14 August 2008 - 05:06 AM.


#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 14 August 2008 - 06:40 AM

Maybe you didn't run it, maybe someone else did, but those logs indicate that it has been run.

Go ahead and post those files if they exist anyway.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 DD_2

DD_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 14 August 2008 - 07:01 AM

Okay not all the ComboFix logs were there - attached is the remaining logs and the new logs for DSS

ComboFix 08-07-10.1 - david 2008-07-21 6:57:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.436 [GMT 1:00]
Running from: C:\Documents and Settings\david.DATACRAFT\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\david.DATACRAFT\Application Data\rhcjfej0ea7l
C:\Documents and Settings\LocalService\Application Data\517045061.exe
C:\Documents and Settings\LocalService\Application Data\585862063.exe
C:\Documents and Settings\LocalService\Application Data\rhcjfej0ea7l
C:\Program Files\IEAntiVirus
C:\Program Files\IEAntiVirus\antivir.exe
C:\Program Files\IEAntiVirus\ieav.db2
C:\Program Files\IEAntiVirus\ieav.db3
C:\Program Files\IEAntiVirus\uninst.exe
C:\Program Files\rhcjfej0ea7l
C:\WINDOWS\system32\blphcnfej0ea7l.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\lphcnfej0ea7l.exe
C:\WINDOWS\system32\phcnfej0ea7l.bmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CBEVTSVC
-------\Service_CbEvtSvc


((((((((((((((((((((((((( Files Created from 2008-06-21 to 2008-07-21 )))))))))))))))))))))))))))))))
.

2008-07-20 15:22 . 2008-07-20 15:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-20 15:22 . 2008-07-20 15:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-20 13:14 . 2008-07-20 13:14 17,920 --a------ C:\WINDOWS\system32\tbrsch.dll
2008-07-11 17:50 . 2008-07-11 17:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 09:07 . 2008-07-21 06:57 <DIR> d-------- C:\quarantine
2008-07-09 16:21 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-09 16:15 . 2008-07-10 09:37 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\HouseCall 6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 06:00 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\DNA
2008-07-17 14:26 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\AdobeUM
2008-07-08 08:59 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\BitTorrent
2008-06-25 12:24 --------- d-----w C:\Program Files\Aptana
2008-06-25 10:30 --------- d-----w C:\Program Files\dhs
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-27 08:01 --------- d-----w C:\Program Files\Sun
2008-05-27 08:01 --------- d-----w C:\Program Files\Java
2008-04-22 12:54 8,938 ----a-w C:\unins000.dat
2007-06-14 10:36 3,820,104 ------w C:\Documents and Settings\david.DATACRAFT\gosetup.exe
2007-03-26 15:37 563,712 ------w C:\Documents and Settings\david.DATACRAFT\gotomypc_370.exe
2007-03-16 17:58 3,897 ----a-w C:\Program Files\MIMAS.txt
2007-03-16 17:58 3,780 ------w C:\Program Files\YMIR.txt
2007-01-26 15:26 722,176 ------w C:\Documents and Settings\david.DATACRAFT\gotomypc_428.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-11_ 9.15.49.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-11 08:12:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-21 06:01:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-09 02:08:33 273,376 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-07-15 13:18:39 273,376 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-07-11 08:13:11 224,987 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-07-21 06:02:50 224,985 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-07-21 06:01:13 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}]
2008-07-20 13:14 17920 --a------ C:\WINDOWS\system32\tbrsch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:22 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 14:48 127118]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [1997-07-11 18:38 16896]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 15:07 90112 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-02-08 11:56:48 69632]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-06-20 08:10:00 5976064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 Ili20;Ili20;C:\WINDOWS\system32\Drivers\Ili20.sys []
S0 Sfs46;Sfs46;C:\WINDOWS\system32\Drivers\Sfs46.sys []
S0 xxD60;xxD60;C:\WINDOWS\system32\Drivers\xxD60.sys []
S3 COAX;COAX;C:\WINDOWS\system32\drivers\COAX.sys [1997-06-18 19:28]
S3 DHSMail;DHSMail;C:\Program Files\dhs\programs\DHSMailSrvc.exe [2005-11-08 11:41]
S3 RMBS;RMBS;C:\WINDOWS\system32\drivers\RMBS.sys [1996-03-12 18:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
\Shell\AutoRun\command - D:\AutoTransfer.exe

*Newly Created Service* - ENTDRV51
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-lphcnfej0ea7l - C:\WINDOWS\system32\lphcnfej0ea7l.exe
HKLM-Run-SMrhcjfej0ea7l - C:\Program Files\rhcjfej0ea7l\rhcjfej0ea7l.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 07:01:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\APPS\HIDSERVICE\HidService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
.
**************************************************************************
.
Completion time: 2008-07-21 7:04:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-21 06:04:54
ComboFix2.txt 2008-07-11 16:48:17
ComboFix3.txt 2008-07-11 08:16:14

Pre-Run: 30,276,227,072 bytes free
Post-Run: 30,323,277,824 bytes free

181 --- E O F --- 2008-07-14 15:11:25


ComboFix 08-07-10.1 - david 2008-07-11 17:44:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.240 [GMT 1:00]
Running from: C:\Documents and Settings\david.DATACRAFT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david.DATACRAFT\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 09:07 . 2008-07-11 17:44 <DIR> d-------- C:\quarantine
2008-07-09 16:21 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-09 16:15 . 2008-07-10 09:37 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\HouseCall 6.6
2008-06-20 18:41 . 2008-06-20 18:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-18 14:45 . 2008-06-18 14:46 <DIR> d-------- C:\Reports
2008-06-11 08:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 16:43 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\DNA
2008-07-08 14:41 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\AdobeUM
2008-07-08 08:59 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\BitTorrent
2008-06-25 12:24 --------- d-----w C:\Program Files\Aptana
2008-06-25 10:30 --------- d-----w C:\Program Files\dhs
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-05-27 08:01 --------- d-----w C:\Program Files\Sun
2008-05-27 08:01 --------- d-----w C:\Program Files\Java
2008-05-20 10:56 --------- d-----w C:\Program Files\EPSON
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-23 21:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 12:57 3,082 ----a-w C:\WINDOWS\system32\affv208325p1now.sys
2008-04-22 12:54 8,938 ----a-w C:\unins000.dat
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-14 10:36 3,820,104 ------w C:\Documents and Settings\david.DATACRAFT\gosetup.exe
2007-03-26 15:37 563,712 ------w C:\Documents and Settings\david.DATACRAFT\gotomypc_370.exe
2007-03-16 17:58 3,897 ----a-w C:\Program Files\MIMAS.txt
2007-03-16 17:58 3,780 ------w C:\Program Files\YMIR.txt
2007-01-26 15:26 722,176 ------w C:\Documents and Settings\david.DATACRAFT\gotomypc_428.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-11_ 9.15.49.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-11 08:17:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:22 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 14:48 127118]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [1997-07-11 18:38 16896]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 15:07 90112 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-02-08 11:56:48 69632]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-06-20 08:10:00 5976064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

R0 Ili20;Ili20;C:\WINDOWS\system32\Drivers\Ili20.sys [2008-02-21 12:42]
S0 Sfs46;Sfs46;C:\WINDOWS\system32\Drivers\Sfs46.sys []
S0 xxD60;xxD60;C:\WINDOWS\system32\Drivers\xxD60.sys []
S3 COAX;COAX;C:\WINDOWS\system32\drivers\COAX.sys [1997-06-18 19:28]
S3 DHSMail;DHSMail;C:\Program Files\dhs\programs\DHSMailSrvc.exe [2005-11-08 11:41]
S3 RMBS;RMBS;C:\WINDOWS\system32\drivers\RMBS.sys [1996-03-12 18:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
\Shell\AutoRun\command - D:\AutoTransfer.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 17:47:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-11 17:48:15
ComboFix-quarantined-files.txt 2008-07-11 16:48:11
ComboFix2.txt 2008-07-11 08:16:14

Pre-Run: 27,817,144,320 bytes free
Post-Run: 27,804,340,224 bytes free

132 --- E O F --- 2008-07-09 09:33:37


ComboFix 08-07-10.1 - david 2008-07-11 9:07:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT 1:00]
Running from: C:\Documents and Settings\david.DATACRAFT\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\MyWebEx
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui5.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\h264dec.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\h264enc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ieatgpc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mmssl32.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\msess.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mticket.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mvc.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwm.ini
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmie.bak
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmie.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmim.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmoi.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmoibak.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmpad.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres1.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmtrace.txt
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmupd.exe
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\ratrace.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\Ratrace\ratrace.txt
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\oeminfo.ini
C:\WINDOWS\system32\WinCtrl32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RUNTIME
-------\Legacy_TCPSR
-------\Service_runtime
-------\Service_tcpsr


((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 09:07 . 2008-07-11 09:07 <DIR> d-------- C:\quarantine
2008-07-09 16:21 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-09 16:15 . 2008-07-10 09:37 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT\Application Data\HouseCall 6.6
2008-06-20 18:41 . 2008-06-20 18:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 11:44 . 2008-06-20 11:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-18 14:45 . 2008-06-18 14:46 <DIR> d-------- C:\Reports
2008-06-11 08:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:45 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 08:11 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\DNA
2008-07-08 14:41 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\AdobeUM
2008-07-08 08:59 --------- d-----w C:\Documents and Settings\david.DATACRAFT\Application Data\BitTorrent
2008-06-25 12:24 --------- d-----w C:\Program Files\Aptana
2008-06-25 10:30 --------- d-----w C:\Program Files\dhs
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-27 08:01 --------- d-----w C:\Program Files\Sun
2008-05-27 08:01 --------- d-----w C:\Program Files\Java
2008-05-20 10:56 --------- d-----w C:\Program Files\EPSON
2008-04-22 12:54 8,938 ----a-w C:\unins000.dat
2007-06-14 10:36 3,820,104 ------w C:\Documents and Settings\david.DATACRAFT\gosetup.exe
2007-03-26 15:37 563,712 ------w C:\Documents and Settings\david.DATACRAFT\gotomypc_370.exe
2007-03-16 17:58 3,897 ----a-w C:\Program Files\MIMAS.txt
2007-03-16 17:58 3,780 ------w C:\Program Files\YMIR.txt
2007-01-26 15:26 722,176 ------w C:\Documents and Settings\david.DATACRAFT\gotomypc_428.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:22 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 14:48 127118]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [1997-07-11 18:38 16896]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 15:07 90112 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-02-08 11:56:48 69632]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-06-20 08:10:00 5976064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

R0 Ili20;Ili20;C:\WINDOWS\system32\Drivers\Ili20.sys [2008-02-21 12:42]
S0 Sfs46;Sfs46;C:\WINDOWS\system32\Drivers\Sfs46.sys []
S0 xxD60;xxD60;C:\WINDOWS\system32\Drivers\xxD60.sys []
S3 COAX;COAX;C:\WINDOWS\system32\drivers\COAX.sys [1997-06-18 19:28]
S3 DHSMail;DHSMail;C:\Program Files\dhs\programs\DHSMailSrvc.exe [2005-11-08 11:41]
S3 RMBS;RMBS;C:\WINDOWS\system32\drivers\RMBS.sys [1996-03-12 18:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
\Shell\AutoRun\command - D:\AutoTransfer.exe

.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 09:13:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\APPS\HIDSERVICE\HidService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\PROGRA~1\MI6841~1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-11 9:16:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-11 08:16:08

Pre-Run: 22,810,157,056 bytes free
Post-Run: 23,944,892,416 bytes free

201 --- E O F --- 2008-07-09 09:33:37


1998-02-27 04:40 520760 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\Cfx32.ocx.vir
2005-10-18 12:00 886 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\OEMINFO.INI.vir
2007-04-09 02:19 93848 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\ieatgpc.dll.vir
2007-05-15 15:26 110592 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\uilibres.dll.vir
2007-05-15 15:26 23106 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atpack.dll.vir
2007-05-15 15:26 36864 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\raurl.dll.vir
2007-05-15 15:26 5702 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atkbctl.dll.vir
2007-05-15 15:26 65536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atnetext.dll.vir
2007-05-15 15:26 65536 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll.vir
2007-05-15 15:26 81408 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atjpeg60.dll.vir
2007-05-15 15:26 90112 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmproxy.dll.vir
2007-05-15 15:31 126976 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmoibak.dll.vir
2007-05-15 15:31 77824 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmie.bak.vir
2007-05-25 08:31 315392 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui5.dll.vir
2007-05-25 08:31 73446 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\Ratrace\ratrace.txt.vir
2007-05-25 08:31 98304 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmcliun.exe.vir
2007-11-15 10:03 119879 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atdl2006.dll.vir
2007-11-15 10:03 17296 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atasanot.exe.vir
2007-11-15 10:03 184320 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\msess.dll.vir
2007-11-15 10:03 2195456 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atres.dll.vir
2007-11-15 10:03 221254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\h264enc.dll.vir
2007-11-15 10:03 238920 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmupd.exe.vir
2007-11-15 10:03 24576 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atmemmgr.dll.vir
2007-11-15 10:03 270336 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atarm.dll.vir
2007-11-15 10:03 28672 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\ratrace.dll.vir
2007-11-15 10:03 294989 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\h264dec.dll.vir
2007-11-15 10:03 315392 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atwbxui6.dll.vir
2007-11-15 10:03 49152 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atcarmcl.dll.vir
2007-11-15 10:03 507904 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mmssl32.dll.vir
2007-11-15 10:03 53248 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmim.dll.vir
2007-11-15 10:03 77824 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mticket.dll.vir
2007-12-12 10:15 77824 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmie.dll.vir
2008-01-23 21:16 180224 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmoi.dll.vir
2008-01-23 21:16 434176 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres1.dll.vir
2008-01-23 21:16 496968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmpad.exe.vir
2008-01-23 21:17 105541 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atas32.dll.vir
2008-01-23 21:17 135168 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\attp.dll.vir
2008-01-23 21:17 339968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atlchat.dll.vir
2008-01-23 21:17 364544 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mvc.dll.vir
2008-01-23 21:17 391751 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atasctrl.dll.vir
2008-01-23 21:17 581632 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mutiltpd.dll.vir
2008-01-23 21:17 77383 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\atasnt40.dll.vir
2008-02-18 12:22 0 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\9_exception.nls.vir
2008-04-29 23:38 126725 --a------ C:\Qoobox\Quarantine\C\Program Files\IEAntiVirus\ieav.db2.vir
2008-04-29 23:38 55338 --a------ C:\Qoobox\Quarantine\C\Program Files\IEAntiVirus\ieav.db3.vir
2008-06-18 11:19 2248704 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmres.dll.vir
2008-06-18 11:19 503808 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\webexmgr.dll.vir
2008-06-25 14:26 174 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwm.ini.vir
2008-07-10 11:23 251512 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\MyWebEx\419\mwmtrace.txt.vir
2008-07-11 09:10 1298 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_TCPSR.reg.dat
2008-07-11 09:10 1322 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_RUNTIME.reg.dat
2008-07-11 09:10 2490 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_tcpsr.reg.dat
2008-07-11 09:10 750 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_runtime.reg.dat
2008-07-14 16:18 2028544 --a------ C:\Qoobox\Quarantine\C\Program Files\IEAntiVirus\antivir.exe.vir
2008-07-20 13:03 63488 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\CbEvtSvc.exe.vir
2008-07-20 13:05 110080 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\585862063.exe.vir
2008-07-20 13:05 14848 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\517045061.exe.vir
2008-07-20 19:46 110080 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lphcnfej0ea7l.exe.vir
2008-07-21 06:52 100720 --a------ C:\Qoobox\Quarantine\C\Program Files\IEAntiVirus\uninst.exe.vir
2008-07-21 06:56 60928 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\blphcnfej0ea7l.scr.vir
2008-07-21 06:56 90838 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\phcnfej0ea7l.bmp.vir
2008-07-21 06:59 1038 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_CBEVTSVC.reg.dat
2008-07-21 06:59 162 --a------ C:\Qoobox\Quarantine\catchme.log
2008-07-21 06:59 2764 --a------ C:\Qoobox\Quarantine\Registry_backups\Service_CbEvtSvc.reg.dat
2008-07-21 07:04 140 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-lphcnfej0ea7l.reg.dat
2008-07-21 07:04 150 --a------ C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SMrhcjfej0ea7l.reg.dat
2008-07-21 07:04 171 --a------ C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}.reg.dat


Deckard's System Scanner v20071014.68
Run by david on 2008-08-14 12:53:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
22: 2008-08-14 11:53:56 UTC - RP492 - Deckard's System Scanner Restore Point
21: 2008-08-13 13:40:54 UTC - RP491 - Software Distribution Service 3.0
20: 2008-08-12 20:46:34 UTC - RP490 - System Checkpoint
19: 2008-08-11 19:46:34 UTC - RP489 - System Checkpoint
18: 2008-08-10 18:47:33 UTC - RP488 - System Checkpoint


-- First Restore Point --
1: 2008-07-20 18:48:16 UTC - RP471 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as david.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\david.DATACRAFT.000\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\david.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nec-computers.co.uk/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [BackgroundScheduler] C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: Start WebEx MeetMeNow.LNK = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datacraft.local
O17 - HKLM\Software\..\Telephony: DomainName = datacraft.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datacraft.local
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DHSMail - Datacraft Design Ltd. - C:\Program Files\dhs\programs\DHSMailSrvc.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

--
End of file - 10882 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Aptana\aptana_file.ico,0
.js - JSFile - shell\open\command - "C:\Program Files\Aptana\aptana.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S0 Ili20 - c:\windows\system32\drivers\ili20.sys (file missing)
S0 Sfs46 - c:\windows\system32\drivers\sfs46.sys (file missing)
S0 xxD60 - c:\windows\system32\drivers\xxd60.sys (file missing)
S3 COAX - c:\windows\system32\drivers\coax.sys
S3 RMBS - c:\windows\system32\drivers\rmbs.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\apps\powercinema\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\apps\powercinema\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 CyberLink Media Library Service - "c:\program files\cyberlink\shared files\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
R2 GenericHidService (Generic Service for HID Keyboard Input Collections) - c:\apps\hidservice\hidservice.exe
R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S3 DHSMail - c:\program files\dhs\programs\dhsmailsrvc.exe <Not Verified; Datacraft Design Ltd.; Mailer Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\svchost.exe (pid 896)
2004-09-22 21:00:00 36922 -----n--- C:\WINDOWS\system32\EntAPI.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

C:\WINDOWS\system32\svchost.exe (pid 1060)
2004-09-22 21:00:00 36922 -----n--- C:\WINDOWS\system32\EntAPI.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>

C:\WINDOWS\explorer.exe (pid 3212)
2004-09-22 21:00:00 36922 -----n--- C:\WINDOWS\system32\EntAPI.dll <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
2001-06-07 10:35:06 131072 -----n--- C:\Program Files\WS_FTP Pro\wsbho2k0.dll <Not Verified; Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA; wsbho2k0 Module>
2001-06-07 10:36:02 233472 -----n--- C:\Program Files\WS_FTP Pro\wsftpsi.dll <Not Verified; Ipswitch, Inc. 81 Hartwell Ave. Lexington MA; wsftpsi Module>
2001-06-07 10:33:12 417792 -----n--- C:\Program Files\WS_FTP Pro\wsftpext.dll <Not Verified; Ipswitch, Inc. 81 Hartwell Ave. Lexington MA; WS_FTP Pro>
2001-06-07 10:31:50 339968 -----n--- C:\Program Files\WS_FTP Pro\ftppro2k.dll <Not Verified; Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA; ftppro32>
2001-05-31 12:30:42 778752 -----n--- C:\Program Files\WS_FTP Pro\sslsvc.dll
2001-06-07 10:31:08 49152 -----n--- C:\Program Files\WS_FTP Pro\wshosts.dll
2001-06-07 10:32:02 81920 -----n--- C:\Program Files\WS_FTP Pro\wsfirscr.dll <Not Verified; Ipswitch, Inc. 81 Hartwell Ave. Lexington MA; WS_FTP Pro>
2001-11-27 09:10:00 20552 -----n--- C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2004-08-20 22:27:00 121344 -----n--- C:\Program Files\WinRAR\RarExt.dll
2004-09-22 21:00:00 13824 -----n--- C:\Program Files\Network Associates\VirusScan\shext.dll <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
2004-09-22 21:00:00 4608 -----n--- C:\Program Files\Network Associates\VirusScan\Res09\shextres.dll <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
2006-06-20 08:10:00 118784 -----n--- C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll <Not Verified; TechSmith Corporation; SnagIt>
2003-11-04 00:03:23 643160 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll <Not Verified; Adobe Systems Inc.; Adobe Acrobat Elements>
2004-11-19 09:01:00 73728 -----n--- C:\APPS\RecordNow\shlext.dll <Not Verified; ; RecordNow!>
1997-06-18 06:10:10 24064 -----n--- C:\Program Files\WallData\DBA\DbaShlEx.dll <Not Verified; Wall Data Incorporated.; RUMBA>


-- Files created between 2008-07-14 and 2008-08-14 -----------------------------

2008-08-08 08:57:32 0 d-------- C:\Program Files\FreeUndelete
2008-08-05 12:55:17 0 d-------- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Nero
2008-08-05 12:55:02 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\Favorites
2008-08-05 12:55:02 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\Desktop
2008-08-05 12:55:02 0 d--hs---- C:\Documents and Settings\david.DATACRAFT.0001\Cookies
2008-08-05 12:55:02 0 dr-h----- C:\Documents and Settings\david.DATACRAFT.0001\Application Data
2008-08-05 12:55:02 0 d---s---- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Microsoft
2008-08-05 12:55:02 0 d-------- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Macromedia
2008-08-05 12:55:02 0 d-------- C:\Documents and Settings\david.DATACRAFT.0001\Application Data\Identities
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\Templates
2008-08-05 12:55:01 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\Start Menu
2008-08-05 12:55:01 0 dr-h----- C:\Documents and Settings\david.DATACRAFT.0001\SendTo
2008-08-05 12:55:01 0 dr-h----- C:\Documents and Settings\david.DATACRAFT.0001\Recent
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\PrintHood
2008-08-05 12:55:01 1572864 --ah----- C:\Documents and Settings\david.DATACRAFT.0001\NTUSER.DAT
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\NetHood
2008-08-05 12:55:01 0 dr------- C:\Documents and Settings\david.DATACRAFT.0001\My Documents
2008-08-05 12:55:01 0 d--h----- C:\Documents and Settings\david.DATACRAFT.0001\Local Settings
2008-08-05 12:53:30 0 d-------- C:\Documents and Settings\Administrator.DATACRAFT\Application Data\Nero
2008-08-05 12:25:22 0 d-------- C:\Documents and Settings\david\Application Data\Nero
2008-07-22 13:11:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-21 06:52:37 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-07-21 06:52:37 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-21 06:51:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-07-21 06:51:51 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-07-21 06:51:50 0 dr------- C:\Documents and Settings\LocalService\Favorites


-- Find3M Report ---------------------------------------------------------------

2008-08-14 12:52:02 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\DNA
2008-08-13 17:17:44 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\BitTorrent
2008-08-13 14:45:12 0 d-------- C:\Program Files\Messenger
2008-08-12 17:19:07 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\AdobeUM
2008-08-05 14:50:07 0 d-------- C:\Program Files\Java
2008-07-11 17:50:48 0 d-------- C:\Program Files\Trend Micro
2008-07-10 09:37:00 0 d-------- C:\Documents and Settings\david.DATACRAFT.000\Application Data\HouseCall 6.6
2008-06-25 13:24:16 0 d-------- C:\Program Files\Aptana
2008-06-25 11:30:03 0 d-------- C:\Program Files\dhs


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 15:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 15:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 15:00]
"SoundMan"="SOUNDMAN.EXE" [11/11/2005 15:07 C:\WINDOWS\soundman.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 11:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 11:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 11:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [11/05/2005 14:48]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 21:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 04:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 10:48]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [11/07/1997 18:38]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [12/01/2007 17:45]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [01/03/2007 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [20/09/2007 09:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 15:00]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [08/05/2008 17:22]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [20/09/2007 15:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/08/2007 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [24/10/2003 05:37:56]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [08/02/2007 11:56:48]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [20/06/2006 08:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"SoftwareSASGeneration"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll 12/01/2007 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
AutoRun\command- D:\AutoTransfer.exe

*Newly Created Service* - ENTDRV51



-- End of Deckard's System Scanner: finished at 2008-08-14 12:55:12 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 1015.29 MiB / 270.55 MiB
Pagefile Memory (total/avail): 2440.17 MiB / 1772.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1901.59 MiB

C: is Fixed (NTFS) - 68.51 GiB total, 24.91 GiB free.
N: is Network (Unformatted)
Q: is CDROM (No Media)
Y: is Network (NTFS)
Z: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST3808110AS - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 6.01 GiB
\PARTITION1 (bootable) - Installable File System - 68.51 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"="C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\WS_FTP Pro\\wsftppro.exe"="C:\\Program Files\\WS_FTP Pro\\wsftppro.exe:*:Enabled:WS_FTP Pro Application"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"="C:\\Program Files\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImPackr.exe"="C:\\Program Files\\IncrediMail\\bin\\ImPackr.exe:*:Enabled:IncrediMail"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\APPS\\Powercinema\\PowerCinema.exe"="C:\\APPS\\Powercinema\\PowerCinema.exe:*:Enabled:PowerCinema"
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"="C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\david.DATACRAFT.000\Application Data
CLASSPATH="C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip"
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CRESSIDA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\david.DATACRAFT.000
LOGONSERVER=\\URANUS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA="C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip"
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DAVIDD~2.000\LOCALS~1\Temp
TMP=C:\DOCUME~1\DAVIDD~2.000\LOCALS~1\Temp
USERDNSDOMAIN=DATACRAFT.LOCAL
USERDOMAIN=DATACRAFT
USERNAME=david
USERPROFILE=C:\Documents and Settings\david.DATACRAFT.000
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

ASPNET
david (admin)
Administrator (admin)
david.DATACRAFT (admin)
andrew (new local, net ready)
daniel (new local, net ready)
david.DATACRAFT.000 (admin)
Administrator.DATACRAFT (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.EXE" -uninstall
--> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Aegis Client --> C:\PROGRA~1\aegis\UNWISE.EXE C:\PROGRA~1\aegis\INSTALL.LOG
AntivirXP08 --> "C:\Program Files\rhcjfej0ea7l\uninstall.exe"
Aptana --> "C:\Program Files\Aptana\Uninstall_Aptana\Uninstall Aptana.exe"
ARPEGGIO --> C:\Program Files\WallData\SETUP\SETUP.EXE -WDU
Arpeggio --> C:\WINDOWS\uninst.exe -f"C:\Program Files\dhs\DeIsL1.isu" -c"C:\Program Files\dhs\_ISREG32.DLL"
BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
Borland Database Engine --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Borland Shared\DeIsL1.isu" -c"C:\Program Files\Borland Shared\_ISREG32.DLL"
DivX Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Codec\uninstal.log
DivX Player --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Player\uninstal.log
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Fellowes/NEATO MediaFACE --> C:\PROGRA~1\MEDIAF~1\UNWISE.EXE C:\PROGRA~1\MEDIAF~1\INSTALL.LOG
GetDataBack for NTFS --> "D:\Program Files\Get Data Back\GetDataBack for NTFS\Uninstall.exe" "D:\Program Files\Get Data Back\GetDataBack for NTFS\install.log" -u
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GoToMyPC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HouseCall 6.6 --> "C:\Documents and Settings\david.DATACRAFT\Application Data\HouseCall 6.6\uninstaller.exe"
Ipswitch WS_FTP Pro --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\WS_FTP Pro\uninst.isu" -c"C:\Program Files\WS_FTP Pro\FTPInstUtils.dll"
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Macromedia Shockwave Player --> MsiExec.exe /X{7D1D6A24-65D4-454C-8815-4F08A5FFF12C}
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL\sqlsun.dll" -msql.mif i=MSSQLSERVER
Microsoft Visual Web Developer 2005 Express Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Web Developer 2005 Express Edition - ENU\setup.exe
Microsoft Visual Web Developer 2005 Express Edition - ENU --> MsiExec.exe /X{221125DC-6A40-4900-B844-591F5E1195B0}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 8 --> MsiExec.exe /X{B944FA21-81AF-4A77-8328-CE4F4CC51033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PVCS Tracker 6 --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\islv\Tracker\nt\DeIsL1.isu
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SnagIt 8 --> MsiExec.exe /I{524228C9-826F-4B58-9E47-4F2E5C7E9F45}
SnagIt 8 --> MsiExec.exe /I{A900E37C-AAE3-44FB-8EE7-7E61F7087CE7}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SpamBayes 1.0.4 --> "C:\Program Files\SpamBayes\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WebEx MeetMeNow --> C:\WINDOWS\DOWNLO~1\MyWebEx\419\\mwmcliun.exe
Win AVI HelixSDK --> c:\unins000.exe
WinAVI Video Converter --> "C:\Program Files\WinAVI Video Converter\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type15490 / Warning
Event Submitted/Written: 08/14/2008 00:54:58 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from CRESSIDA IP 192.168.222.20 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type15489 / Warning
Event Submitted/Written: 08/14/2008 00:54:58 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from CRESSIDA IP 192.168.222.20 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type15481 / Warning
Event Submitted/Written: 08/13/2008 05:43:06 PM
Event ID/Source: 19011 / MSSQLServer
Event Description:
SuperSocket info: (SpnRegister) : Error 8344.

Event Record #/Type15461 / Warning
Event Submitted/Written: 08/13/2008 05:18:43 PM
Event ID/Source: 19011 / MSSQLServer
Event Description:
SuperSocket info: (SpnRegister) : Error 8344.

Event Record #/Type15443 / Error
Event Submitted/Written: 08/11/2008 00:05:58 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\WINDOWS\system32\tbrsch.dll.vir is infected with Downloader.gen.a Trojan. The file was successfully deleted.(from CRESSIDA IP 192.168.222.20 user CRESSIDA running VirusScan Enter 8.0 OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type32302 / Error
Event Submitted/Written: 08/14/2008 10:56:51 AM
Event ID/Source: 6004 / EventLog
Event Description:
A driver packet received from the I/O subsystem was invalid. The data is the
packet.

Event Record #/Type32301 / Error
Event Submitted/Written: 08/14/2008 10:56:51 AM
Event ID/Source: 6004 / EventLog
Event Description:
A driver packet received from the I/O subsystem was invalid. The data is the
packet.

Event Record #/Type32300 / Error
Event Submitted/Written: 08/14/2008 10:56:52 AM
Event ID/Source: 6004 / EventLog
Event Description:
A driver packet received from the I/O subsystem was invalid. The data is the
packet.

Event Record #/Type32299 / Error
Event Submitted/Written: 08/14/2008 10:56:55 AM
Event ID/Source: 6004 / EventLog
Event Description:
A driver packet received from the I/O subsystem was invalid. The data is the
packet.

Event Record #/Type32298 / Error
Event Submitted/Written: 08/14/2008 10:56:56 AM
Event ID/Source: 6004 / EventLog
Event Description:
A driver packet received from the I/O subsystem was invalid. The data is the
packet.



-- End of Deckard's System Scanner: finished at 2008-08-14 12:55:12 ------------

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 14 August 2008 - 09:23 AM

Hello, DD_2.
We need to run ComboFix.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Please visit the following page for instructions on running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Please ensure you read this guide carefully and install the Recovery Console first.
  • MAKE SURE YOU DELETE ANY COPIES OF COMBOFIX YOU HAVE AND REDOWNLOAD!!!
    Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • After you install the recovery console, will see this window.
    Posted Image
    Please select Yes.
  • When the tool is finished, it will produce a report for you. Copy and paste that report in a reply here.
In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 DD_2

DD_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 14 August 2008 - 10:22 AM

ComboFix log as requested.
Thanks for the help so far.

ComboFix 08-08-13.05 - david 2008-08-14 16:16:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.386 [GMT 1:00]
Running from: C:\Documents and Settings\david.DATACRAFT.000\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\david.DATACRAFT.000\Application Data\macromedia\Flash Player\#SharedObjects\4XNVM2HH\interclick.com
C:\Documents and Settings\david.DATACRAFT.000\Application Data\macromedia\Flash Player\#SharedObjects\4XNVM2HH\interclick.com\ud.sol
C:\Documents and Settings\david.DATACRAFT.000\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\david.DATACRAFT.000\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 )))))))))))))))))))))))))))))))
.

2008-08-13 04:56 . 2008-05-01 15:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 09:33 . 2008-08-12 19:22 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT
2008-08-08 08:57 . 2008-08-08 09:00 <DIR> d-------- C:\Program Files\FreeUndelete
2008-08-05 12:55 . 2008-08-05 12:55 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT.0001
2008-08-05 12:53 . 2008-08-05 12:53 <DIR> d-------- C:\Documents and Settings\Administrator.DATACRAFT\Application Data\Nero
2008-08-05 12:25 . 2008-08-05 12:25 <DIR> d-------- C:\Documents and Settings\david\Application Data\Nero
2008-07-25 09:32 . 2008-07-25 09:32 <DIR> d-------- C:\Deckard
2008-07-22 13:11 . 2008-07-22 13:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-22 13:11 . 2008-07-22 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 15:22 . 2008-07-20 15:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-20 15:22 . 2008-07-20 15:22 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 15:12 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\DNA
2008-08-13 16:17 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\BitTorrent
2008-08-12 16:19 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\AdobeUM
2008-08-05 13:50 --------- d-----w C:\Program Files\Java
2008-07-11 16:50 --------- d-----w C:\Program Files\Trend Micro
2008-07-10 08:37 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\HouseCall 6.6
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-25 12:24 --------- d-----w C:\Program Files\Aptana
2008-06-25 10:30 --------- d-----w C:\Program Files\dhs
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 09:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2007-06-14 10:36 3,820,104 ------w C:\Documents and Settings\david.DATACRAFT.000\gosetup.exe
2007-03-26 15:37 563,712 ------w C:\Documents and Settings\david.DATACRAFT.000\gotomypc_370.exe
2007-03-16 17:58 3,897 ----a-w C:\Program Files\MIMAS.txt
2007-03-16 17:58 3,780 ------w C:\Program Files\YMIR.txt
2007-01-26 15:26 722,176 ------w C:\Documents and Settings\david.DATACRAFT.000\gotomypc_428.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-11_ 9.15.49.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\advpack.dll
+ 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll
+ 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll
+ 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\extmgr.dll
+ 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\icardie.dll
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ie4uinit.exe
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakeng.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieaksie.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakui.dll
+ 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieapfltr.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iedkcs32.dll
+ 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieframe.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iernonce.dll
+ 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iertutil.dll
+ 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieudinit.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe
+ 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\jsproxy.dll
+ 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeeds.dll
+ 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeedsbs.dll
+ 2008-04-23 21:16:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtml.dll
+ 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtmled.dll
+ 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msrating.dll
+ 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mstime.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\occache.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\updspapi.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\url.dll
+ 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\webcheck.dll
+ 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll
- 2007-03-07 15:24:48 593,920 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-08-05 11:55:57 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-03-07 15:24:48 12,288 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-08-05 11:55:58 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-03-07 15:24:48 86,016 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-08-05 11:55:58 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-03-07 15:24:48 135,168 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-08-05 11:55:57 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-03-07 15:24:48 11,264 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-08-05 11:55:58 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-03-07 15:24:48 27,136 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-08-05 11:55:58 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-03-07 15:24:48 4,096 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-08-05 11:55:58 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-03-07 15:24:48 794,624 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-08-05 11:55:58 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-03-07 15:24:48 249,856 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-08-05 11:55:57 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-03-07 15:24:48 61,440 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-08-05 11:55:57 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-03-07 15:24:48 23,040 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-08-05 11:55:58 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-03-07 15:24:48 286,720 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-08-05 11:55:57 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-03-07 15:24:47 409,600 ------r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-08-05 11:55:57 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-06-23 16:57:27 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-04-23 04:16:28 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-06-23 16:57:28 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-21 06:15:44 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-04-23 04:16:28 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-06-23 16:57:39 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-06-23 16:57:40 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-06-23 16:57:40 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2008-04-23 04:16:29 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-04-23 04:16:29 826,368 ------w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-06-23 16:57:41 826,368 ------w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-23 04:16:28 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
+ 2008-06-23 16:57:27 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
- 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
+ 2008-06-23 16:57:27 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-04-09 02:08:33 273,376 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-07-15 13:18:39 273,376 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-04-22 07:39:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-06-23 09:20:25 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
+ 2008-06-23 16:57:29 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
+ 2008-06-23 16:57:29 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2008-04-20 05:07:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
+ 2008-06-21 05:23:54 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-06-23 16:57:29 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\iernonce.dll
+ 2008-06-23 16:57:33 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-04-22 07:39:58 13,824 ------w C:\WINDOWS\system32\ieudinit.exe
+ 2008-06-23 09:20:26 13,824 ------w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-07-11 08:13:11 224,987 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-13 16:45:10 224,985 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
+ 2008-06-23 16:57:35 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-04-23 21:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-06-24 09:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-23 04:16:28 478,208 ------w C:\WINDOWS\system32\mshtmled.dll
+ 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\system32\msrating.dll
+ 2008-06-23 16:57:39 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\system32\mstime.dll
+ 2008-06-23 16:57:40 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\occache.dll
+ 2008-06-23 16:57:40 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ------w C:\WINDOWS\system32\tzchange.exe
- 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-06-23 16:57:41 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-08-13 16:48:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_748.dat
+ 2008-08-13 16:43:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:22 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 14:48 127118]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [1997-07-11 18:38 16896]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 15:07 90112 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-02-08 11:56:48 69632]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-06-20 08:10:00 5976064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 Ili20;Ili20;C:\WINDOWS\system32\Drivers\Ili20.sys []
S0 Sfs46;Sfs46;C:\WINDOWS\system32\Drivers\Sfs46.sys []
S0 xxD60;xxD60;C:\WINDOWS\system32\Drivers\xxD60.sys []
S3 COAX;COAX;C:\WINDOWS\system32\drivers\COAX.sys [1997-06-18 19:28]
S3 DHSMail;DHSMail;C:\Program Files\dhs\programs\DHSMailSrvc.exe [2005-11-08 11:41]
S3 RMBS;RMBS;C:\WINDOWS\system32\drivers\RMBS.sys [1996-03-12 18:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
\Shell\AutoRun\command - D:\AutoTransfer.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - ENTDRV51
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\david.DATACRAFT.000\Application Data\Mozilla\Firefox\Profiles\l77at43q.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-14 16:18:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-14 16:19:21
ComboFix-quarantined-files.txt 2008-08-14 15:19:18
ComboFix2.txt 2008-07-21 06:05:00
ComboFix3.txt 2008-07-11 16:48:17
ComboFix4.txt 2008-07-11 08:16:14

Pre-Run: 26,720,268,288 bytes free
Post-Run: 26,714,464,256 bytes free

346 --- E O F --- 2008-08-13 13:45:40

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 14 August 2008 - 10:34 AM

Hello, DD_2.
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/159606/virus-help/
    
    suspect::[54]
    C:\WINDOWS\system32\drivers\COAX.sys
    C:\WINDOWS\system32\drivers\RMBS.sys
    
    registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ili20.sys]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Sfs46.sys]
    
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xxD60.sys]
    
    file::
    C:\WINDOWS\system32\tbrsch.dll
    
    rootkit::
    C:\WINDOWS\system32\Drivers\Ili20.sys
    C:\WINDOWS\system32\Drivers\Sfs46.sys
    C:\WINDOWS\system32\Drivers\xxD60.sys
    
    driver::
    Ili20
    Sfs46
    xxD60
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 DD_2

DD_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 15 August 2008 - 02:57 AM

Okay here is the ComboFix Log
Also there was a zip file created that attempted to send to a website, but I am not sure if it completed - I have attached it here too

ComboFix 08-08-14.02 - david 2008-08-15 8:34:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382 [GMT 1:00]
Running from: C:\Documents and Settings\david.DATACRAFT.000\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\david.DATACRAFT.000\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\tbrsch.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\npptools.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILI20
-------\Legacy_XXD60
-------\Service_Ili20
-------\Service_Sfs46
-------\Service_xxD60


((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-13 04:56 . 2008-05-01 15:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-12 09:33 . 2008-08-12 19:22 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT
2008-08-08 08:57 . 2008-08-08 09:00 <DIR> d-------- C:\Program Files\FreeUndelete
2008-08-05 12:55 . 2008-08-05 12:55 <DIR> d-------- C:\Documents and Settings\david.DATACRAFT.0001
2008-08-05 12:53 . 2008-08-05 12:53 <DIR> d-------- C:\Documents and Settings\Administrator.DATACRAFT\Application Data\Nero
2008-08-05 12:25 . 2008-08-05 12:25 <DIR> d-------- C:\Documents and Settings\david\Application Data\Nero
2008-07-25 09:32 . 2008-07-25 09:32 <DIR> d-------- C:\Deckard
2008-07-22 13:11 . 2008-07-22 13:11 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-22 13:11 . 2008-07-22 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-20 15:22 . 2008-07-20 15:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-20 15:22 . 2008-07-20 15:22 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 07:42 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\DNA
2008-08-13 16:17 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\BitTorrent
2008-08-12 16:19 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\AdobeUM
2008-08-05 13:50 --------- d-----w C:\Program Files\Java
2008-07-11 16:50 --------- d-----w C:\Program Files\Trend Micro
2008-07-10 08:37 --------- d-----w C:\Documents and Settings\david.DATACRAFT.000\Application Data\HouseCall 6.6
2008-06-25 12:24 --------- d-----w C:\Program Files\Aptana
2008-06-25 10:30 --------- d-----w C:\Program Files\dhs
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-06-14 10:36 3,820,104 ------w C:\Documents and Settings\david.DATACRAFT.000\gosetup.exe
2007-03-26 15:37 563,712 ------w C:\Documents and Settings\david.DATACRAFT.000\gotomypc_370.exe
2007-03-16 17:58 3,897 ----a-w C:\Program Files\MIMAS.txt
2007-03-16 17:58 3,780 ------w C:\Program Files\YMIR.txt
2007-01-26 15:26 722,176 ------w C:\Documents and Settings\david.DATACRAFT.000\gotomypc_428.exe
.

((((((((((((((((((((((((((((( snapshot_2008-08-14_16.18.59.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 14:00:00 54,784 ----a-w C:\WINDOWS\system32\dllcache\npptools.dll
- 2008-08-13 16:45:10 224,985 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-15 07:44:24 224,984 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-08-15 07:43:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_9c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 17:22 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 15:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 11:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 11:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 14:48 127118]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 21:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"BackgroundScheduler"="C:\PROGRA~1\COMMON~1\WallData\Schedule\RRServer.exe" [1997-07-11 18:38 16896]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 17:45 249904]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 15:07 90112 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-02-08 11:56:48 69632]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-06-20 08:10:00 5976064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Powercinema\\PowerCinema.exe"=
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 COAX;COAX;C:\WINDOWS\system32\drivers\COAX.sys [1997-06-18 19:28]
S3 DHSMail;DHSMail;C:\Program Files\dhs\programs\DHSMailSrvc.exe [2005-11-08 11:41]
S3 RMBS;RMBS;C:\WINDOWS\system32\drivers\RMBS.sys [1996-03-12 18:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35508cff-942b-11dc-bba6-0016ec8f210f}]
\Shell\AutoRun\command - D:\AutoTransfer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 08:44:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\npptools.dll 54784 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\APPS\HIDSERVICE\HidService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\PROGRA~1\MI6841~1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
.
**************************************************************************
.
Completion time: 2008-08-15 8:48:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-15 07:48:06
ComboFix2.txt 2008-08-14 15:19:22
ComboFix3.txt 2008-07-21 06:05:00
ComboFix4.txt 2008-07-11 16:48:17
ComboFix5.txt 2008-08-15 07:33:50

Pre-Run: 26,699,239,424 bytes free
Post-Run: 26,683,674,624 bytes free

161 --- E O F --- 2008-08-13 13:45:40

Attached Files



#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 15 August 2008 - 06:23 AM

Hello, DD_2.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 21 August 2008 - 06:34 PM

Hello, DD_2.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3

Edited by Billy O'Neal, 21 August 2008 - 06:34 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:27 AM

Posted 22 August 2008 - 11:35 AM

Topic reopened, please post your log(s) below :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 DD_2

DD_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 24 August 2008 - 03:09 PM

The NOD32 virus scan came back with no threats, however the regular McAfee anti virus installed on the computer complains from time to time about files in the c:\Quarantine and c:\Qoobox directories (I guess this is something to do with the ComboFix)

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3380 (20080822)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5acf3341fe4d9b47bad245a189cb5cda
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-22 02:15:56
# local_time=2008-08-22 03:15:56 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=466476
# found=0
# scan_time=4827




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users