Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Nasty Chinese Malware


  • This topic is locked This topic is locked
23 replies to this topic

#1 Peter E

Peter E

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 15 August 2008 - 10:56 AM

So, I've heard about this happening before, but never thought it would hit me... I am very careful about adware, etc, and have never had a problem until now. The other day I purchased a new 750Gb Iomega external hard drive. It was mac-formatted, so I plugged it in and turned it on with the intention of reformatting it. However, once it was connected and installed I started getting these full-screen IE (i use firefox for browsing) popups full of advertisements in chinese. I didn't think much of it so i didn't write down the addresses. Immediately the computer started acting odd... slowing down, hanging up at odd times. Then my norton antivirus notified me of a couple viruses in the temp folder. I started to get worried so I stopped everything and did a full virus scan. The scan crashed with a BSOD and when I rebooted the computer I ran every online virus scan I could find, repeatedly, trying to get rid of all of the crap. I found a bunch of trojans, keyloggers, infostealers, rootkits, etc, could not run task manager or HijackThis, and at one point windows would not even fully boot.

I've done a lot of work so far, and am almost there, but there are still a few things that keep coming back. It is for this reason that I am forced to finally ask for help. Here is my HijackThis log... hopefully you can see some things in there that I did not notice.

EDIT: I read on another thread that I should list the steps I've taken so far...
I have installed and run ad-aware, spybot, avg (because norton has been disabled by the malware somehow), and zone-alarm.
I finally got to the point where I got the old "my desktop won't show up", so after reading up on it, I decided to run combofix. That helped restore a lot of functionality and allowed me to finally delete the csrsss and csrssa files that I was unable to remove for so long.
I have run just about every online scanner that's ever been recommended, including bitdefender, malwarebytes, and panda. No scans ever seem to come up clean, even though there don't seem to be any further errors by any of the applications in deleting the files that are found.

So... yeah, that's where I'm at. Here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:39 AM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\hhcmd.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TrayIt\TrayIt!.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\ctfmons.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la?g
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=k3...ea30KBJcWJwZG2U
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\TrayIt!.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://tcgdc/ProjectServer/objects/pjclient.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://tcgdc/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///V:/Service%20Packs/Visual_Studio_60/Platform%20SDK(Feb%202003)/controls/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel Chip Group (IntelChip) - Unknown owner - C:\WINDOWS\system32\hhcmd.exe
O23 - Service: Numega Control Service (NCS) - Compuware Corporation - NuMega Lab - C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Desktop Drivers (TopdeskDriver) - Unknown owner - C:\WINDOWS\system32\explsore.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11585 bytes

Edited by Peter E, 15 August 2008 - 04:23 PM.


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 24 August 2008 - 02:24 AM

Hi,

Welcome to BleepingComputer HijackThis Logs and Analysis forum, Peter E. :thumbsup:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, then please do the following.
The log you presented had been a few days away. It may not show what it is. Please rescan your computer and post a new HJT log and an Uninstall List.
In the meantime, please refrain from making any changes to your computer. Thanks.

Make an Uninstall List

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button
5. Click on the Save list button
6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
7. Copy and paste the contents in your next reply and a fresh HJT log.

#3 Peter E

Peter E
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 24 August 2008 - 01:49 PM

Hello!

I totally understand how busy you guys are, some of this stuff is so tenacious. Hopefully we'll have some success...

As for the state of affairs: currently the computer is usable and stable. Virus scans usually come up clean, but Zone alarm routinely alerts about several different files trying to access the internet (which I deny) and AVG detects Backdoor.Generic10.BQB and .CFK viruses infecting dnssvr.dll and ctfmons.exe (and deletes them). Something is trying really hard to reinstall itself.

Also, Internet Explorer is almost totally unusable. Every time I open it, it redirects the page to open a bunch of blank and/or hidden windows... all of which have to be killed via TaskManager. Fun stuff. Okay, here are the logs:


Ad-Aware
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AuthenTec Fingerprint Sensor Minimum Install
AVG 8.0
biolsp patch
BioShock
Broadcom ASF Management Applications
Broadcom Management Programs
Combined Community Codec Pack 2008-01-24
Conexant HDA D330 MDC V.92 Modem
CutePDF Writer 2.7
Dell Drivers MSI
Dell Embassy Trust Suite by Wave Systems
Dell Touchpad
Diablo II
Digital Line Detect
Document Manager Lite
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
eSMART 2008 v1.1
Free YouTube to Mp3 Converter version 3.1
FTDI USB Serial Converter Drivers
Gemalto
GemSafe Standard Edition 5.1
GnuWin32: UnRar version 3.4.3
HijackThis 2.0.2
Intel® PROSet/Wireless Software
IntelliSonic Speech Enhancement
IrfanView (remove only)
ISO Recorder
J2SE Runtime Environment 5.0 Update 6
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Office Visio Viewer 2003 (English)
Microsoft Office Word Viewer 2003
Microsoft Office XP Professional with FrontPage
Microsoft SDK Update February 2003 (5.2.3790.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (MSSQLESMART)
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Desktop Engine
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
mIWA
mLogView
mMHouse
Modem Diagnostic Tool
Mozilla Firefox (2.0.0.16)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSDN Library - January 2003 DVD
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
NDDS 3.0m Uninstall
NetWaiting
NTRU TCG Software Stack
NuMega DevPartner for Visual C++ 6.6
NVIDIA Drivers
Panda ActiveScan 2.0
PASS-3200
PC-lint ™ for C/C++ v8.00
PowerDVD
Preboot Manager
Private Information Manager
QuickSet
Secure Update
Security Update for Step By Step Interactive Training (KB923723)
Security Wizards
Server_2003-A-2
SigmaTel Audio
SonicWALL Global VPN Client
Symantec AntiVirus
TeamSpeak 2 RC2
TeamSpeak Overlay BETA 2 (#63)
TightVNC 1.3.9
Trusted Drive Manager
tsp patch
Uninstall 1.0.0.1
upekmsi
URL Assistant
VAG-COM Release 704.1
VCDS Release 805.0
Ventrilo Client
Wave Infrastructure Installer
Wave Support Software
Windows Driver Package - Ross-Tech USB Driver Package (11/16/2007 6.0.2.0)
WinRAR archiver
WinZip
ZoneAlarm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:53 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\hhcmd.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TrayIt\TrayIt!.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la?g
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=k3...ea30KBJcWJwZG2U
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\TrayIt!.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://tcgdc/ProjectServer/objects/pjclient.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://tcgdc/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///V:/Service%20Packs/Visual_Studio_60/Platform%20SDK(Feb%202003)/controls/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel Chip Group (IntelChip) - Unknown owner - C:\WINDOWS\system32\hhcmd.exe
O23 - Service: Numega Control Service (NCS) - Compuware Corporation - NuMega Lab - C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Desktop Drivers (TopdeskDriver) - Unknown owner - C:\WINDOWS\system32\explsore.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11663 bytes

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 25 August 2008 - 12:59 AM

Hi,

The fixes are specific to your problem and should only be used for this issue on this machine.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic. Thanks


Step1

Your computer has multiple infections, including a Backdoor. A Backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are well advised to do the following:
  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Because Backdoor can intrude your computer to unauthorized access, deleting malware may not completely secure an infected computer. Reinstalling the operating system and recovering data from backups may be the only way to make certain a critical system is safe.

The decision you should make whether to reinstall your system or proceed our clean process. I'm so pleased to give my help. If you still want to clean your system, then please follow the instructions in the following.


Step2


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton Antivirus or AVG8.
You can go to Here or Here to download and run this tool to clean some leftovers after you remove it from Add/Remove Porgrams.


Step3


Delete the Combofix you had downloaded before and get the update version from the following.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Post the entire contents of C:\ComboFix.txt into your next reply.


Step4

1.Do you recognize the Domain in the following?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com

2.Do you enable Distributed Link Tracking (DLT) Server by yourself?

O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe

Please specify that info in your next reply. Thanks.


In your next reply, Please post back:

1.ComboFix.txt
2.New HJT log

#5 Peter E

Peter E
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 25 August 2008 - 07:21 AM

Hello,

Thank you for the support, I will uninstall AVG antivirus after running combofix and hijackthis.

1.Do you recognize the Domain in the following?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com

yes, those are for when i use my laptop at work

2.Do you enable Distributed Link Tracking (DLT) Server by yourself?

no, i do not believe i have intentionally enabled DLT

here are my new logs.

ComboFix 08-08-24.02 - Administrator 2008-08-25 7:55:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1460 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\strategy.txt
C:\WINDOWS\system32\comarshal.dat
C:\WINDOWS\system32\comspring.dat
C:\WINDOWS\system32\fmcvxy.dll.LoG
C:\WINDOWS\system32\gprmsgse.axz
C:\WINDOWS\system32\gscpx32r.det
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\tdffdl.dll.LoG
C:\WINDOWS\system32\tdfhex.dll.LoG

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-17 17:28 . 2008-08-17 17:28 <DIR> d-------- C:\Program Files\ISO Recorder
2008-08-16 18:20 . 2008-08-17 17:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfraRecorder
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Program Files\CDRTools
2008-08-16 10:40 . 2008-08-16 10:40 <DIR> d-------- C:\Deckard
2008-08-15 13:39 . 2008-08-15 13:39 66,048 --a------ C:\mbr.exe
2008-08-15 08:32 . 2008-08-25 07:59 6,678,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-15 08:32 . 2008-08-25 07:59 77,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-15 08:28 . 2008-08-15 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-15 08:28 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-15 08:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-15 08:28 . 2008-08-15 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-15 08:27 . 2008-08-15 08:27 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-15 08:24 . 2008-08-25 07:49 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-15 00:41 . 2008-08-15 00:41 35,064 --a------ C:\WINDOWS\system32\Band0.exe
2008-08-15 00:38 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-14 18:03 . 2008-08-24 15:42 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 17:52 . 2008-08-24 14:26 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 17:52 . 2008-08-14 17:52 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 17:52 . 2008-08-14 17:52 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Program Files\AVG
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 17:49 . 2008-08-14 17:52 8,192 --a------ C:\Documents and Settings\DREWPI~4.TCG
2008-08-14 17:48 . 2008-08-14 17:48 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 17:10 . 2008-08-14 17:10 262,144 --a------ C:\Documents and Settings\DREWPI~3.TCG
2008-08-14 15:08 . 2004-08-04 06:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-14 15:07 . 2004-08-04 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-08-14 12:44 . 2008-08-14 12:44 1,110 --a------ C:\tmp.dat
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 11:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 09:59 . 2004-08-04 06:00 15,360 --a------ C:\WINDOWS\renamed_tm.exe
2008-08-14 00:45 . 2008-08-14 10:57 224,768 --a------ C:\WINDOWS\system32\HtmlPeek.dll
2008-08-14 00:39 . 2008-08-14 06:49 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 16:59 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-13 16:52 . 2008-08-13 16:52 <DIR> d-------- C:\WINDOWS\NV1660352.TMP
2008-08-13 16:44 . 2004-08-04 06:00 1,086,058 -ra------ C:\WINDOWS\SETD7.tmp
2008-08-13 16:44 . 2004-08-04 06:00 1,042,903 -ra------ C:\WINDOWS\SETD4.tmp
2008-08-13 16:44 . 2006-03-30 06:03 22,339 -ra------ C:\WINDOWS\SET11E.tmp
2008-08-13 16:44 . 2004-08-04 06:00 13,753 -ra------ C:\WINDOWS\SETE3.tmp
2008-08-13 16:44 . 2005-03-30 13:54 10,559 -ra------ C:\WINDOWS\SET11F.tmp
2008-08-13 16:44 . 2004-08-04 06:00 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2008-08-13 12:33 . 2008-08-13 12:33 <DIR> d-------- C:\WINDOWS\dell
2008-08-13 11:58 . 2008-08-13 11:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-13 11:52 . 2008-08-15 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-13 10:49 . 2008-08-13 11:48 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-13 10:42 . 2008-08-13 10:42 262,144 --a------ C:\Documents and Settings\DREWPI~2.TCG
2008-08-13 10:36 . 2008-08-13 10:36 262,144 --a------ C:\Documents and Settings\DREWPI~1.TCG
2008-08-13 09:29 . 2008-08-13 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 06:42 . 2008-08-14 00:36 3,762 --a------ C:\WINDOWS\system32\phkxal.key
2008-08-13 04:38 . 2008-08-13 04:38 1 --a------ C:\WINDOWS\system32\0043e6d.ini
2008-08-13 02:21 . 2008-08-13 02:24 692,224 --ahs---- C:\WINDOWS\system32\hhcmd.exe
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-12 22:41 . 2008-08-13 09:53 15,539 --a------ C:\WINDOWS\system32\typzqs.key
2008-08-12 22:41 . 2008-08-12 22:41 1 --a------ C:\WINDOWS\system32\003682b.ini
2008-08-12 01:22 . 2008-08-12 03:50 106 --a------ C:\WINDOWS\system32\j.i
2008-08-12 01:22 . 2008-08-12 03:50 31 --a------ C:\WINDOWS\system32\nulstart
2008-08-12 01:22 . 2008-08-12 01:22 1 --a------ C:\WINDOWS\system32\0005a7dd.ini
2008-08-11 21:45 . 2008-08-11 21:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-11 21:45 . 2008-08-11 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 21:05 . 2008-08-12 13:45 188 --a------ C:\WINDOWS\system32\pagefiles.sys
2008-08-11 21:04 . 2008-08-14 13:22 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-11 21:04 . 2008-08-11 21:04 384,512 --ah----- C:\WINDOWS\CKsrv.exe
2008-08-08 18:55 . 2008-08-11 11:49 <DIR> d-------- C:\temp\NYC SOS
2008-08-08 18:54 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-08 18:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-08 18:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-06 10:23 . 2004-08-03 23:04 30,080 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2008-08-06 10:23 . 2004-08-03 23:04 12,672 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-31 21:22 . 2008-07-31 21:22 724,984 --a------ C:\Documents and Settings\Administrator\gotomypc_437.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 19:21 --------- d-----w C:\Program Files\UnRar
2008-08-14 18:58 1,663 ----a-w C:\WINDOWS\inf\COMA8.tmp
2008-08-12 15:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-12 01:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 14:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-27 22:08 --------- d-----w C:\Program Files\Diablo II
2008-07-24 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bioshock
2008-07-24 14:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-24 14:25 --------- d-----w C:\Program Files\BioShock
2008-07-24 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 14:19 --------- d-----w C:\Program Files\VirtualCD
2008-07-24 13:57 --------- d-----w C:\Program Files\GnuWin32
2008-07-22 00:59 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-22 00:59 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-07-21 23:43 --------- d-----w C:\Program Files\Warcraft2
2008-07-21 21:53 --------- d-----w C:\Program Files\uTorrent
2008-07-18 16:36 --------- d-----w C:\Program Files\DVDt
2008-07-18 16:36 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-15 17:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Trimble Navigation
2008-07-15 13:52 --------- d-----w C:\Program Files\World of Warcraft
2008-03-14 22:11 17,144 ----a-w C:\Documents and Settings\drew pierce\Application Data\GDIPFONTCACHEV1.DAT
2008-02-13 17:01 17,144 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-08-14_13.31.06.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-17 21:28:39 3,638 ----a-r C:\WINDOWS\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
- 2008-01-22 01:17:42 5,200 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-08-16 20:13:39 5,380 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2008-08-13 21:03:17 671,744 ---ha-w C:\WINDOWS\repair\ntuser.dat
+ 2008-08-14 19:07:07 475,136 ---ha-w C:\WINDOWS\repair\ntuser.dat
- 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2004-08-04 10:00:00 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
- 2008-06-23 15:38:28 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2006-03-04 03:33:40 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
- 2008-06-23 15:38:29 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2006-03-04 03:33:40 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2008-08-14 17:24:57 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-14 19:12:10 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-14 17:24:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-14 19:12:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-14 19:12:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081420080815\index.dat
- 2008-08-14 17:24:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-14 19:12:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-23 15:38:30 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2006-03-04 03:33:42 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2006-08-16 11:58:05 100,352 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
+ 2004-08-04 10:00:00 100,352 -c--a-w C:\WINDOWS\system32\dllcache\6to4svc.dll
- 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2004-08-04 10:00:00 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-08-14 16:42:48 4,224 -c--a-w C:\WINDOWS\system32\dllcache\beep.sys
+ 2004-08-04 10:00:00 4,224 -c--a-w C:\WINDOWS\system32\dllcache\beep.sys
- 2008-06-23 15:38:28 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2006-03-04 03:33:40 1,022,976 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2008-06-23 15:38:29 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2006-03-04 03:33:40 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2008-06-23 15:38:30 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2006-03-04 03:33:42 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2004-08-04 10:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2004-08-04 10:00:00 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2008-06-23 15:38:30 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2004-08-04 10:00:00 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-06-23 15:38:30 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2006-03-04 03:33:42 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-07-07 20:32:22 253,952 -c--a-w C:\WINDOWS\system32\dllcache\es.dll
+ 2004-08-04 10:00:00 243,200 -c--a-w C:\WINDOWS\system32\dllcache\es.dll
- 2008-06-23 15:38:30 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2006-03-04 03:33:42 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-06-23 09:49:29 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2006-03-04 00:39:06 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-06-23 15:38:31 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2006-03-04 03:33:42 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-04-11 18:50:43 683,520 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
+ 2004-08-04 10:00:00 678,400 -c--a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
- 2008-06-23 15:38:31 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2006-03-04 03:33:42 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2004-08-04 10:00:00 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2008-06-23 15:38:31 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2004-08-04 10:00:00 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-05-01 14:30:33 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll
+ 2004-08-04 10:00:00 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll
- 2008-06-24 16:23:05 74,240 -c--a-w C:\WINDOWS\system32\dllcache\mscms.dll
+ 2004-08-04 10:00:00 73,728 -c--a-w C:\WINDOWS\system32\dllcache\mscms.dll
- 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2004-08-04 10:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2004-08-04 10:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2008-06-23 15:38:33 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2006-03-23 17:32:42 3,053,568 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-06-23 15:38:33 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2006-03-04 03:33:44 448,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2004-08-04 10:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2004-08-04 10:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2004-08-04 10:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2004-08-04 10:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2004-08-04 10:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2004-08-04 10:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2008-06-23 15:38:33 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2006-03-04 03:33:44 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2004-08-04 10:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2004-08-04 10:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2004-08-04 10:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2004-08-04 10:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2008-06-23 15:38:33 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2006-03-04 03:33:44 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2004-08-04 10:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2004-08-04 10:00:00 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2004-08-04 10:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2004-08-04 10:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
- 2008-06-23 15:38:33 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2006-03-04 03:33:44 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-05-07 05:18:48 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2004-08-04 10:00:00 1,287,680 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2004-08-04 10:00:00 200,064 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-06-23 15:38:34 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2006-03-30 09:16:04 1,492,480 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2008-06-23 15:38:34 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2006-03-04 03:33:44 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2004-08-04 10:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\taskmgr.exe
+ 2004-08-04 10:00:00 135,680 -c--a-w C:\WINDOWS\system32\dllcache\taskmgr.exe
- 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2004-08-04 10:00:00 359,040 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2004-08-04 10:00:00 223,616 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-06-23 15:38:34 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2006-03-18 11:09:38 613,376 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-12-18 14:40:58 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2004-08-04 10:00:00 417,792 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2008-06-23 15:38:34 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2006-03-04 03:33:46 658,432 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2004-08-04 10:00:00 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-06-20 10:44:38 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2004-08-04 10:00:00 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-08-14 21:52:05 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2008-08-14 16:42:48 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
+ 2004-08-04 10:00:00 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
- 2008-06-13 13:10:50 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
+ 2004-08-04 10:00:00 274,304 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
+ 2007-07-19 19:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2004-08-04 10:00:00 200,064 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
- 2008-06-20 10:45:13 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2004-08-04 10:00:00 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2008-06-20 09:52:06 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
+ 2004-08-04 10:00:00 223,616 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
- 2008-06-23 15:38:30 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2004-08-04 10:00:00 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-06-23 15:38:30 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2006-03-04 03:33:42 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-08-13 20:58:47 26,500 ----a-w C:\WINDOWS\system32\emptyregdb.dat
+ 2008-08-14 18:58:32 26,500 ----a-w C:\WINDOWS\system32\emptyregdb.dat
- 2008-07-07 20:32:22 253,952 ----a-w C:\WINDOWS\system32\es.dll
+ 2004-08-04 10:00:00 243,200 ----a-w C:\WINDOWS\system32\es.dll
- 2008-06-23 15:38:30 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2006-03-04 03:33:42 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-06-23 15:38:31 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2006-03-04 03:33:42 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2004-08-04 10:00:00 678,400 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-06-23 15:38:31 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2006-03-04 03:33:42 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2004-08-04 10:00:00 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2008-06-23 15:38:31 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2004-08-04 10:00:00 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-07-09 13:05:08 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
- 2004-08-04 11:00:00 112,128 ----a-w C:\WINDOWS\system32\mapi32.dll
+ 2004-08-04 10:00:00 112,128 ----a-w C:\WINDOWS\system32\mapi32.dll
- 2008-06-24 16:23:05 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
+ 2004-08-04 10:00:00 73,728 ----a-w C:\WINDOWS\system32\mscms.dll
- 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2004-08-04 10:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2004-08-04 10:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2008-06-23 15:38:33 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2006-03-23 17:32:42 3,053,568 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-06-23 15:38:33 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2006-03-04 03:33:44 448,512 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2004-08-04 10:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2004-08-04 10:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2008-03-27 08:12:54 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
+ 2004-08-04 10:00:00 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
- 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2004-08-04 10:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2004-08-04 10:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2004-08-04 10:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2008-06-23 15:38:33 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2006-03-04 03:33:44 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2004-08-04 10:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2004-08-04 10:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2004-08-04 10:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2004-08-04 10:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2008-06-23 15:38:33 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2006-03-04 03:33:44 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2004-08-04 10:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2008-06-20 17:41:10 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
+ 2004-08-04 10:00:00 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
- 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2004-08-04 10:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2004-08-04 10:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
- 2008-08-14 16:50:56 90,488 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-15 12:37:57 90,488 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-14 16:50:56 474,210 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-15 12:37:57 474,210 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-23 15:38:33 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2006-03-04 03:33:44 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-05-07 05:18:48 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2004-08-04 10:00:00 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
- 2008-06-23 15:38:34 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2006-03-30 09:16:04 1,492,480 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2008-06-23 15:38:34 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2006-03-04 03:33:44 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2004-08-04 10:00:00 15,360 ----a-w C:\WINDOWS\system32\taskmgr.exe
+ 2004-08-04 10:00:00 135,680 ----a-w C:\WINDOWS\system32\taskmgr.exe
- 2008-06-23 15:38:34 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2006-03-18 11:09:38 613,376 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2004-08-04 10:00:00 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2008-07-09 13:05:10 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2008-07-09 13:05:22 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2008-07-09 13:05:10 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2008-07-09 13:05:10 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2008-07-09 13:05:10 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2008-07-09 13:05:10 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2008-07-09 13:05:12 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2008-07-09 13:05:12 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2008-07-09 13:05:12 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
- 2008-06-23 15:38:34 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2006-03-04 03:33:46 658,432 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-07-09 13:05:12 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2008-07-09 13:05:12 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2008-07-09 13:05:06 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 04:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 18:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 04:03:30 1,628 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-31 04:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 04:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 04:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 04:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-20 03:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 18:53:58 282,624 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 22:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 04:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 04:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 04:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 04:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 18:53:58 139,264 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 22:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-07-09 13:05:06 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 16:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-07-09 13:05:08 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-07-09 13:05:08 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-07-09 13:05:08 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-07-09 13:05:24 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-08-15 13:03:52 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-07-09 13:05:24 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-07-09 13:05:24 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-07-09 13:05:24 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-07-09 13:06:26 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-07-09 13:06:26 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 07:10:26 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 07:10:28 792,032 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-07-09 13:05:08 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-01-21 12:34:36 7,603,688 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 07:10:32 1,504,736 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 07:10:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-07-09 13:05:10 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-07-09 13:06:26 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-07-09 13:06:30 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 00:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 20:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-07-09 13:05:18 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 21:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-07-09 13:05:10 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-07-09 13:05:10 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-07-09 13:05:18 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-07-09 13:05:10 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-07-09 13:05:12 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-07-09 13:05:12 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-01-21 12:34:36 7,603,688 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-07-09 13:05:12 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-07-09 13:05:12 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-07-09 13:05:14 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-07-09 13:05:14 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2008-07-09 13:05:16 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
+ 2008-08-25 12:00:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1c4.dat
+ 2004-08-04 10:00:00 921,088 ----a-w C:\WINDOWS\WinSxS\InstallTemp\80730\comctl32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 23:49 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-31 17:50 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-31 17:50 81920]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2007-05-14 16:23 1191936]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 18:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 18:30 974848]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 11:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 12:53 218424]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 16:05 282624]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 13:42 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 14:28 85744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 17:51 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"nwiz"="nwiz.exe" [2007-05-31 17:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-31 17:50 67584 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 01:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
TrayIt!.lnk - C:\Program Files\TrayIt\TrayIt!.exe [2007-07-18 15:57:00 204800]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-21 21:26:50 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 17:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1111\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1308\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1311\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\rti\\waveworks\\ndds.3.0m\\bin\\i86Win32VC60\\nddsManager.exe"=
"C:\\TCG\\TCM\\Link16EthernetController.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 17:52]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 11:57]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 17:52]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 11:46]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 16:21]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 17:51]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 17:52]
R2 NCS;Numega Control Service;C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE [2001-03-15 03:58]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 19:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 11:55]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 15:01]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 11:18]
S0 kdkp1wvg4t;kdkp1wvg4t;C:\WINDOWS\system32\drivers\kdkp1wvg4t.sys []
S2 Distributed Link Tracking Srv;TrkWsrv;C:\WINDOWS\CKsrv.exe [2008-08-11 21:04]
S2 hqxgoz;hqxgoz;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S2 IntelChip;Intel Chip Group;C:\WINDOWS\system32\hhcmd.exe [2008-08-13 02:24]
S2 MSSQL$MSSQLESMART;SQL Server (MSSQLESMART);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 05:29]
S2 TopdeskDriver;Desktop Drivers;C:\WINDOWS\system32\explsore.exe []
S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 14:32]
S3 EraserUtilDrv10820;EraserUtilDrv10820;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys []
S3 mach5;mach5;C:\WINDOWS\system32\mach5.sys [2001-03-15 04:30]
S3 PspKiller;PspKiller;C:\WINDOWS\TEMP\SxKiller.sys []
S3 SbsWdmPcmcia;SBS 1553 PCM2 ASF;C:\WINDOWS\system32\DRIVERS\SbsWdmPcmcia.sys [2005-07-19 18:58]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 19:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 16:31]
S4 AnNDDSManagerService1;AnNDDSManagerService1;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]
S4 AnNDDSManagerServicePlayback;AnNDDSManagerServicePlayback;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]
S4 AVGCenter;AVGCenter;C:\WINDOWS\system32\tcpip.exe []
S4 AVGupdate;AVGupdate;C:\WINDOWS\system32\bmwx6.exe []
S4 INDXQZOG;INDXQZOG;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\INDXQZOG.exe []
S4 NUQAY;NUQAY;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NUQAY.exe []
S4 Windowsidc;Windowsidc;C:\WINDOWS\system32\Se061.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
oqckqz REG_MULTI_SZ oqckqz
hqxgoz REG_MULTI_SZ hqxgoz
iscikf REG_MULTI_SZ iscikf

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{527bc658-3d28-11dd-8c4b-006073eec710}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hcc1d10g.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 08:02:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-08-25 8:06:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 12:06:47
ComboFix2.txt 2008-08-14 17:31:31

Pre-Run: 57,769,148,416 bytes free
Post-Run: 57,904,959,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

604 --- E O F --- 2008-08-23 23:28:46


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:17 AM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TrayIt\TrayIt!.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la?g
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=k3...ea30KBJcWJwZG2U
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\TrayIt!.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://tcgdc/ProjectServer/objects/pjclient.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://tcgdc/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///V:/Service%20Packs/Visual_Studio_60/Platform%20SDK(Feb%202003)/controls/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel Chip Group (IntelChip) - Unknown owner - C:\WINDOWS\system32\hhcmd.exe
O23 - Service: Numega Control Service (NCS) - Compuware Corporation - NuMega Lab - C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Desktop Drivers (TopdeskDriver) - Unknown owner - C:\WINDOWS\system32\explsore.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11864 bytes

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 26 August 2008 - 05:21 AM

Hi,

Thanks for the info about your Domain. Let's proceed our clean process.
I notice there is a sign of one P2P (Person to Person) File Sharing Programs on your computer--->uTorrent
This program allows you to share files from uncertified sources, and always makes your system infected even if you have a good Anti-Virus and a proper Firewall.
You are well advised to remove it via Add/Remove Programs if this program still hangs on in your system.



Step1

Please go toJotti's Scan or Virus Total for scanning one suspicious file.
Copy /paste the below files path into the text box next to the Browse button at the top of the page

C:\WINDOWS\CKsrv.exe

Click the Submit or Send File button and copy "Scanner results", and paste the contents into your next reply.


Step2
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
File::
C:\WINDOWS\system32\Band0.exe
C:\tmp.dat
C:\WINDOWS\renamed_tm.exe
C:\WINDOWS\SETD7.tmp
C:\WINDOWS\SETD4.tmp
C:\WINDOWS\SET11E.tmp
C:\WINDOWS\SETE3.tmp
C:\WINDOWS\SET11F.tmp
C:\WINDOWS\system32\HtmlPeek.dll
C:\WINDOWS\system32\phkxal.key
C:\WINDOWS\system32\0043e6d.ini
C:\WINDOWS\system32\typzqs.key
C:\WINDOWS\system32\003682b.ini
C:\WINDOWS\system32\0005a7dd.ini
C:\WINDOWS\system32\j.i
C:\WINDOWS\system32\nulstart
C:\WINDOWS\inf\COMA8.tmp

DirLook:: 
C:\temp\NYC SOS
C:\WINDOWS\NV1660352.TMP

Driver::
kdkp1wvg4t
TopdeskDriver
PspKiller
AVGCenter
AVGupdate
INDXQZOG
NUQAY
Windowsidc
hqxgoz

NetSvc::
oqckqz
hqxgoz
iscikf

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.




Step3

1.Please run HijackThis! and click "Do a system scan only." Place checks next to the following entries,(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about.blank.la?g
O23 - Service: Desktop Drivers (TopdeskDriver) - Unknown owner - C:\WINDOWS\system32\explsore.exe (file missing)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Click Start>Run>copy/paste the following in Open box> and Click OK

sc delete TopdeskDriver

Reboot your pc.



Step4

Download AVZ4 from here :
Unzip the file and place it on your desktop.
Open the avz4 folder and doubleclick avz.exe to start the tool.
On top in the menu, click File, click System Restore and select the following.

Reset Internet Explorer setting of Protocol Prefixes to default (Choice #2)
Restore Internet Explorer start page (Choice #3)
Reset Internet Explore search setting to default (Choice #4)


Click the "Execute selected Operations" button below.
Close avz.exe.
Reboot your PC.


Step5

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.



Step6

I notice you may have installed Malwarebytes' Anti-Malware in your system. Please rescan you computer with MBAM.
You can consult the MBAB setting in the following if you need it.

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Copy&Paste the entire report in your next reply

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




In your next reply, Please post back:

1.Jotti's Scan Report
2.ComboFix.txt
3.MBAM log
4.New HJT log


Tell me how things are going now.

#7 Peter E

Peter E
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 26 August 2008 - 09:19 AM

Hello and thank you again for the advice.

All of the steps seemed to be successful but it looks like the CKsrv file is infected... here are my logs


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

Scan taken on 26 Aug 2008 14:01:02 (GMT)
A-Squared
Found nothing
AntiVir
Found BDS/Backdoor.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found BackDoor.Pigeon.14016
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Trojan.Buzus.iij
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably a variant of Win32/Genetik (probable variant)
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Sus/Behav-239 (probable variant)
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.Hupigon.dfgq



ComboFix.txt

ComboFix 08-08-24.02 - Administrator 2008-08-26 9:29:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1473 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\tmp.dat
C:\WINDOWS\inf\COMA8.tmp
C:\WINDOWS\renamed_tm.exe
C:\WINDOWS\SET11E.tmp
C:\WINDOWS\SET11F.tmp
C:\WINDOWS\SETD4.tmp
C:\WINDOWS\SETD7.tmp
C:\WINDOWS\SETE3.tmp
C:\WINDOWS\system32\0005a7dd.ini
C:\WINDOWS\system32\003682b.ini
C:\WINDOWS\system32\0043e6d.ini
C:\WINDOWS\system32\Band0.exe
C:\WINDOWS\system32\HtmlPeek.dll
C:\WINDOWS\system32\j.i
C:\WINDOWS\system32\nulstart
C:\WINDOWS\system32\phkxal.key
C:\WINDOWS\system32\typzqs.key
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\tmp.dat
C:\WINDOWS\inf\COMA8.tmp
C:\WINDOWS\renamed_tm.exe
C:\WINDOWS\SET11E.tmp
C:\WINDOWS\SET11F.tmp
C:\WINDOWS\SETD4.tmp
C:\WINDOWS\SETD7.tmp
C:\WINDOWS\SETE3.tmp
C:\WINDOWS\system32\0005a7dd.ini
C:\WINDOWS\system32\003682b.ini
C:\WINDOWS\system32\0043e6d.ini
C:\WINDOWS\system32\Band0.exe
C:\WINDOWS\system32\comarshal.dat
C:\WINDOWS\system32\comspring.dat
C:\WINDOWS\system32\HtmlPeek.dll
C:\WINDOWS\system32\j.i
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\nulstart
C:\WINDOWS\system32\phkxal.key
C:\WINDOWS\system32\typzqs.key

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVGCENTER
-------\Legacy_AVGUPDATE
-------\Legacy_HQXGOZ
-------\Legacy_INDXQZOG
-------\Legacy_NUQAY
-------\Legacy_PSPKILLER
-------\Legacy_TOPDESKDRIVER
-------\Legacy_WINDOWSIDC
-------\Service_AVGCenter
-------\Service_AVGupdate
-------\Service_hqxgoz
-------\Service_INDXQZOG
-------\Service_kdkp1wvg4t
-------\Service_NUQAY
-------\Service_PspKiller
-------\Service_TopdeskDriver
-------\Service_Windowsidc


((((((((((((((((((((((((( Files Created from 2008-07-26 to 2008-08-26 )))))))))))))))))))))))))))))))
.

2008-08-26 09:17 . 2008-08-26 09:17 151,040 --a------ C:\WINDOWS\system32\ctfmons.exe
2008-08-17 17:28 . 2008-08-17 17:28 <DIR> d-------- C:\Program Files\ISO Recorder
2008-08-16 18:20 . 2008-08-17 17:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfraRecorder
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Program Files\CDRTools
2008-08-16 10:40 . 2008-08-16 10:40 <DIR> d-------- C:\Deckard
2008-08-15 13:39 . 2008-08-15 13:39 66,048 --a------ C:\mbr.exe
2008-08-15 08:32 . 2008-08-26 09:35 6,678,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-15 08:32 . 2008-08-26 09:35 78,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-15 08:28 . 2008-08-15 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-15 08:28 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-15 08:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-15 08:28 . 2008-08-15 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-15 08:27 . 2008-08-15 08:27 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-15 08:24 . 2008-08-26 09:24 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-15 00:38 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-14 18:03 . 2008-08-26 09:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 17:52 . 2008-08-26 09:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 17:52 . 2008-08-14 17:52 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 17:52 . 2008-08-14 17:52 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Program Files\AVG
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 17:49 . 2008-08-14 17:52 8,192 --a------ C:\Documents and Settings\DREWPI~4.TCG
2008-08-14 17:48 . 2008-08-14 17:48 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 17:10 . 2008-08-14 17:10 262,144 --a------ C:\Documents and Settings\DREWPI~3.TCG
2008-08-14 15:08 . 2004-08-04 06:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-14 15:07 . 2004-08-04 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 11:01 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 00:39 . 2008-08-14 06:49 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 16:59 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-13 16:52 . 2008-08-13 16:52 <DIR> d-------- C:\WINDOWS\NV1660352.TMP
2008-08-13 16:44 . 2004-08-04 06:00 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2008-08-13 12:33 . 2008-08-13 12:33 <DIR> d-------- C:\WINDOWS\dell
2008-08-13 11:58 . 2008-08-13 11:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-13 11:52 . 2008-08-15 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-13 10:49 . 2008-08-13 11:48 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-13 10:42 . 2008-08-13 10:42 262,144 --a------ C:\Documents and Settings\DREWPI~2.TCG
2008-08-13 10:36 . 2008-08-13 10:36 262,144 --a------ C:\Documents and Settings\DREWPI~1.TCG
2008-08-13 09:29 . 2008-08-13 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 02:21 . 2008-08-13 02:24 692,224 --ahs---- C:\WINDOWS\system32\hhcmd.exe
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 21:45 . 2008-08-11 21:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-11 21:45 . 2008-08-11 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 21:05 . 2008-08-12 13:45 188 --a------ C:\WINDOWS\system32\pagefiles.sys
2008-08-11 21:04 . 2008-08-14 13:22 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-11 21:04 . 2008-08-11 21:04 384,512 --ah----- C:\WINDOWS\CKsrv.exe
2008-08-08 18:55 . 2008-08-11 11:49 <DIR> d-------- C:\temp\NYC SOS
2008-08-08 18:54 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-08 18:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-08 18:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-06 10:23 . 2004-08-03 23:04 30,080 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2008-08-06 10:23 . 2004-08-03 23:04 12,672 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-31 21:22 . 2008-07-31 21:22 724,984 --a------ C:\Documents and Settings\Administrator\gotomypc_437.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 19:21 --------- d-----w C:\Program Files\UnRar
2008-08-12 15:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-12 01:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 14:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-27 22:08 --------- d-----w C:\Program Files\Diablo II
2008-07-24 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bioshock
2008-07-24 14:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-24 14:25 --------- d-----w C:\Program Files\BioShock
2008-07-24 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 14:19 --------- d-----w C:\Program Files\VirtualCD
2008-07-24 13:57 --------- d-----w C:\Program Files\GnuWin32
2008-07-22 01:08 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-07-22 01:08 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-07-22 01:08 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-07-22 00:59 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-22 00:59 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-07-21 23:43 --------- d-----w C:\Program Files\Warcraft2
2008-07-21 21:53 --------- d-----w C:\Program Files\uTorrent
2008-07-18 16:36 --------- d-----w C:\Program Files\DVDt
2008-07-18 16:36 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-15 17:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Trimble Navigation
2008-07-15 13:52 --------- d-----w C:\Program Files\World of Warcraft
2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-14 22:11 17,144 ----a-w C:\Documents and Settings\drew pierce\Application Data\GDIPFONTCACHEV1.DAT
2008-02-13 17:01 17,144 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\temp\NYC SOS ----

2008-08-13 18:18 566784 --ahs---- C:\temp\NYC SOS\Thumbs.db
2007-08-04 01:17 4639766 --a------ C:\temp\NYC SOS\IMG_1888.jpg
2007-08-04 01:17 4382777 --a------ C:\temp\NYC SOS\IMG_1889.jpg
2007-08-04 01:17 4042492 --a------ C:\temp\NYC SOS\IMG_1887.jpg
2007-08-04 01:17 3785602 --a------ C:\temp\NYC SOS\IMG_1890.jpg
2007-08-04 01:15 4245519 --a------ C:\temp\NYC SOS\IMG_1886.jpg
2007-08-04 01:14 4712717 --a------ C:\temp\NYC SOS\IMG_1882.jpg
2007-08-04 01:14 4472970 --a------ C:\temp\NYC SOS\IMG_1885.jpg
2007-08-04 01:14 4383830 --a------ C:\temp\NYC SOS\IMG_1884.jpg
2007-08-04 01:14 4071631 --a------ C:\temp\NYC SOS\IMG_1883.jpg
2007-08-04 01:13 4489646 --a------ C:\temp\NYC SOS\IMG_1879.jpg
2007-08-04 01:13 3951518 --a------ C:\temp\NYC SOS\IMG_1881.jpg
2007-08-04 01:13 3632460 --a------ C:\temp\NYC SOS\IMG_1880.jpg
2007-08-04 01:13 3574627 --a------ C:\temp\NYC SOS\IMG_1878.jpg
2007-08-04 01:12 4244489 --a------ C:\temp\NYC SOS\IMG_1875.jpg
2007-08-04 01:12 3744560 --a------ C:\temp\NYC SOS\IMG_1876.jpg
2007-08-04 01:11 3344278 --a------ C:\temp\NYC SOS\IMG_1873.jpg
2007-08-04 01:11 3180836 --a------ C:\temp\NYC SOS\IMG_1874.jpg
2007-08-04 01:10 2989675 --a------ C:\temp\NYC SOS\IMG_1872.jpg
2007-08-04 01:10 2622104 --a------ C:\temp\NYC SOS\IMG_1871.jpg
2007-08-04 01:06 3529697 --a------ C:\temp\NYC SOS\IMG_1868.jpg
2007-08-04 01:06 3319779 --a------ C:\temp\NYC SOS\IMG_1869.jpg
2007-08-04 01:06 2935058 --a------ C:\temp\NYC SOS\IMG_1870.jpg
2007-08-04 01:05 3296147 --a------ C:\temp\NYC SOS\IMG_1866.jpg
2007-08-04 01:05 2717740 --a------ C:\temp\NYC SOS\IMG_1867.jpg
2007-08-04 00:44 3735030 --a------ C:\temp\NYC SOS\IMG_1865.jpg
2007-08-04 00:44 3121698 --a------ C:\temp\NYC SOS\IMG_1864.jpg
2007-08-04 00:34 4379338 --a------ C:\temp\NYC SOS\IMG_1863.jpg
2007-08-04 00:34 3611801 --a------ C:\temp\NYC SOS\IMG_1862.jpg
2007-08-04 00:33 3738377 --a------ C:\temp\NYC SOS\IMG_1861.jpg
2007-08-04 00:33 3652176 --a------ C:\temp\NYC SOS\IMG_1859.jpg
2007-08-04 00:33 3163465 --a------ C:\temp\NYC SOS\IMG_1860.jpg
2007-08-04 00:32 3809728 --a------ C:\temp\NYC SOS\IMG_1858.jpg
2007-08-04 00:31 3604392 --a------ C:\temp\NYC SOS\IMG_1857.jpg
2007-08-04 00:31 3410274 --a------ C:\temp\NYC SOS\IMG_1855.jpg
2007-08-04 00:31 3207264 --a------ C:\temp\NYC SOS\IMG_1856.jpg
2007-08-04 00:30 3895901 --a------ C:\temp\NYC SOS\IMG_1854.jpg
2007-08-04 00:29 4183555 --a------ C:\temp\NYC SOS\IMG_1852.jpg
2007-08-04 00:29 3084763 --a------ C:\temp\NYC SOS\IMG_1853.jpg
2007-08-04 00:28 3881232 --a------ C:\temp\NYC SOS\IMG_1850.jpg
2007-08-04 00:28 3584590 --a------ C:\temp\NYC SOS\IMG_1849.jpg
2007-08-04 00:28 3560194 --a------ C:\temp\NYC SOS\IMG_1848.jpg
2007-08-04 00:27 3542581 --a------ C:\temp\NYC SOS\IMG_1846.jpg
2007-08-04 00:27 2858303 --a------ C:\temp\NYC SOS\IMG_1847.jpg
2007-08-03 23:58 3598825 --a------ C:\temp\NYC SOS\IMG_1843.jpg
2007-08-03 23:58 3407504 --a------ C:\temp\NYC SOS\IMG_1844.jpg
2007-08-03 23:57 3294384 --a------ C:\temp\NYC SOS\IMG_1842.jpg
2007-08-03 20:19 3049865 --a------ C:\temp\NYC SOS\IMG_1840.jpg
2007-08-03 20:18 3586404 --a------ C:\temp\NYC SOS\IMG_1838.jpg
2007-08-03 20:17 3813937 --a------ C:\temp\NYC SOS\IMG_1836.jpg
2007-08-03 20:17 3649988 --a------ C:\temp\NYC SOS\IMG_1837.jpg
2007-08-03 19:54 4049914 --a------ C:\temp\NYC SOS\IMG_1835.jpg
2007-08-03 19:43 81329260 --a------ C:\temp\NYC SOS\MVI_1834.avi
2007-08-03 19:43 3461192 --a------ C:\temp\NYC SOS\IMG_1833.jpg
2007-08-03 19:42 3870210 --a------ C:\temp\NYC SOS\IMG_1832.jpg
2007-08-03 19:42 3859852 --a------ C:\temp\NYC SOS\IMG_1830.jpg
2007-08-03 19:41 3757321 --a------ C:\temp\NYC SOS\IMG_1829.jpg
2007-08-03 19:18 3841247 --a------ C:\temp\NYC SOS\IMG_1827.jpg
2007-08-03 19:18 3744987 --a------ C:\temp\NYC SOS\IMG_1828.jpg
2007-08-03 19:12 3371710 --a------ C:\temp\NYC SOS\IMG_1826.jpg
2007-08-03 19:11 4028726 --a------ C:\temp\NYC SOS\IMG_1823.jpg
2007-08-03 19:11 3056553 --a------ C:\temp\NYC SOS\IMG_1825.jpg
2007-08-03 19:09 3792289 --a------ C:\temp\NYC SOS\IMG_1822.jpg
2007-08-03 19:09 3764820 --a------ C:\temp\NYC SOS\IMG_1821.jpg
2007-08-03 19:09 3608495 --a------ C:\temp\NYC SOS\IMG_1820.jpg
2007-08-03 19:07 3759005 --a------ C:\temp\NYC SOS\IMG_1817.jpg
2007-08-03 19:07 3750999 --a------ C:\temp\NYC SOS\IMG_1816.jpg
2007-08-03 19:03 3797239 --a------ C:\temp\NYC SOS\IMG_1815.jpg
2007-08-03 19:02 3725518 --a------ C:\temp\NYC SOS\IMG_1812.jpg
2007-08-03 19:02 3449230 --a------ C:\temp\NYC SOS\IMG_1813.jpg
2007-08-03 18:58 3631986 --a------ C:\temp\NYC SOS\IMG_1808.jpg
2007-08-03 18:57 3628386 --a------ C:\temp\NYC SOS\IMG_1805.jpg
2007-08-03 18:57 3562138 --a------ C:\temp\NYC SOS\IMG_1806.jpg
2007-08-03 18:56 3670218 --a------ C:\temp\NYC SOS\IMG_1802.jpg
2007-08-03 18:56 3118203 --a------ C:\temp\NYC SOS\IMG_1803.jpg
2007-08-03 18:55 3891502 --a------ C:\temp\NYC SOS\IMG_1800.jpg
2007-08-03 18:54 3526450 --a------ C:\temp\NYC SOS\IMG_1799.jpg
2007-08-03 18:54 3367053 --a------ C:\temp\NYC SOS\IMG_1798.jpg
2007-08-03 18:53 3565606 --a------ C:\temp\NYC SOS\IMG_1797.jpg
2007-08-03 18:52 3639264 --a------ C:\temp\NYC SOS\IMG_1795.jpg
2007-08-03 18:52 3532246 --a------ C:\temp\NYC SOS\IMG_1796.jpg
2007-08-03 18:51 4002527 --a------ C:\temp\NYC SOS\IMG_1794.jpg
2007-08-03 18:50 3980794 --a------ C:\temp\NYC SOS\IMG_1793.jpg
2007-08-03 18:48 53918140 --a------ C:\temp\NYC SOS\MVI_1792.avi
2007-08-03 18:41 4399314 --a------ C:\temp\NYC SOS\IMG_1790.jpg
2007-08-03 18:41 4263364 --a------ C:\temp\NYC SOS\IMG_1791.jpg
2007-08-03 18:40 4155008 --a------ C:\temp\NYC SOS\IMG_1787.jpg
2007-08-03 18:40 4149548 --a------ C:\temp\NYC SOS\IMG_1788.jpg
2007-08-03 18:40 3695056 --a------ C:\temp\NYC SOS\IMG_1789.jpg
2007-08-03 18:39 4225777 --a------ C:\temp\NYC SOS\IMG_1784.jpg
2007-08-03 18:39 3853491 --a------ C:\temp\NYC SOS\IMG_1785.jpg
2007-08-03 18:39 3748399 --a------ C:\temp\NYC SOS\IMG_1786.jpg
2007-08-03 18:28 3905770 --a------ C:\temp\NYC SOS\IMG_1783.jpg
2007-08-03 18:28 3577951 --a------ C:\temp\NYC SOS\IMG_1782.jpg
2007-08-03 18:26 3498641 --a------ C:\temp\NYC SOS\IMG_1781.jpg
2007-08-03 18:24 57954196 --a------ C:\temp\NYC SOS\MVI_1780.avi
2007-08-03 18:19 2983192 --a------ C:\temp\NYC SOS\IMG_1779.jpg
2007-08-03 18:15 2888233 --a------ C:\temp\NYC SOS\IMG_1778.jpg
2007-08-03 18:13 3461174 --a------ C:\temp\NYC SOS\IMG_1775.jpg
2007-08-03 18:13 3334562 --a------ C:\temp\NYC SOS\IMG_1777.jpg
2007-08-03 18:13 3229158 --a------ C:\temp\NYC SOS\IMG_1776.jpg
2007-08-03 17:38 3358420 --a------ C:\temp\NYC SOS\IMG_1774.jpg
2007-08-03 17:36 3036536 --a------ C:\temp\NYC SOS\IMG_1773.jpg
2007-08-03 17:36 2814661 --a------ C:\temp\NYC SOS\IMG_1772.jpg
2007-08-03 17:31 3535002 --a------ C:\temp\NYC SOS\IMG_1771.jpg
2007-08-03 17:29 3600654 --a------ C:\temp\NYC SOS\IMG_1770.jpg
2007-08-03 17:29 3515332 --a------ C:\temp\NYC SOS\IMG_1769.jpg
2007-08-03 17:28 3786273 --a------ C:\temp\NYC SOS\IMG_1766.jpg
2007-08-03 17:28 3334813 --a------ C:\temp\NYC SOS\IMG_1768.jpg
2007-08-03 17:28 3200359 --a------ C:\temp\NYC SOS\IMG_1767.jpg
2007-08-03 17:27 3682988 --a------ C:\temp\NYC SOS\IMG_1764.jpg
2007-08-03 17:27 3176938 --a------ C:\temp\NYC SOS\IMG_1765.jpg
2007-08-03 16:42 2729580 --a------ C:\temp\NYC SOS\IMG_1763.jpg
2007-08-03 16:41 2633116 --a------ C:\temp\NYC SOS\IMG_1762.jpg
2007-08-03 16:40 3250948 --a------ C:\temp\NYC SOS\IMG_1760.jpg
2007-08-03 16:40 2937945 --a------ C:\temp\NYC SOS\IMG_1761.jpg
2007-08-03 16:39 3143825 --a------ C:\temp\NYC SOS\IMG_1759.jpg
2007-08-03 16:39 2938493 --a------ C:\temp\NYC SOS\IMG_1758.jpg
2007-08-02 22:19 3426205 --a------ C:\temp\NYC SOS\IMG_1756.jpg
2007-08-02 22:19 3405925 --a------ C:\temp\NYC SOS\IMG_1757.jpg
2007-08-02 19:17 4214504 --a------ C:\temp\NYC SOS\IMG_1755.jpg
2007-08-02 19:17 3607234 --a------ C:\temp\NYC SOS\IMG_1754.jpg
2007-08-02 19:16 3933021 --a------ C:\temp\NYC SOS\IMG_1753.jpg
2007-08-02 19:16 3811171 --a------ C:\temp\NYC SOS\IMG_1752.jpg
2007-08-02 19:16 24158138 --a------ C:\temp\NYC SOS\MVI_1751.avi
2007-08-02 19:08 32329076 --a------ C:\temp\NYC SOS\MVI_1750.avi
2007-08-02 19:08 22827614 --a------ C:\temp\NYC SOS\MVI_1749.avi
2007-08-02 19:06 3628816 --a------ C:\temp\NYC SOS\IMG_1748.jpg
2007-08-02 19:06 3137695 --a------ C:\temp\NYC SOS\IMG_1747.jpg
2007-08-02 19:05 4417399 --a------ C:\temp\NYC SOS\IMG_1745.jpg
2007-08-02 19:05 4090909 --a------ C:\temp\NYC SOS\IMG_1746.jpg
2007-08-02 19:05 3164821 --a------ C:\temp\NYC SOS\IMG_1744.jpg
2007-08-02 19:05 2878577 --a------ C:\temp\NYC SOS\IMG_1743.jpg
2007-08-02 19:05 2598822 --a------ C:\temp\NYC SOS\IMG_1742.jpg
2007-08-02 19:04 22397414 --a------ C:\temp\NYC SOS\MVI_1741.avi
2007-08-02 19:03 30190232 --a------ C:\temp\NYC SOS\MVI_1740.avi
2007-08-02 19:03 27854438 --a------ C:\temp\NYC SOS\MVI_1739.avi
2007-08-02 18:49 34307092 --a------ C:\temp\NYC SOS\MVI_1738.avi
2007-08-02 18:49 2663975 --a------ C:\temp\NYC SOS\IMG_1737.jpg
2007-08-02 18:46 73009178 --a------ C:\temp\NYC SOS\MVI_1736.avi
2007-08-02 18:27 4949983 --a------ C:\temp\NYC SOS\IMG_1735.jpg
2007-08-02 18:15 3672269 --a------ C:\temp\NYC SOS\IMG_1734.jpg
2007-08-02 18:14 3563215 --a------ C:\temp\NYC SOS\IMG_1733.jpg
2007-08-02 18:14 2915619 --a------ C:\temp\NYC SOS\IMG_1732.jpg
2007-08-02 10:17 76772980 --a------ C:\temp\NYC SOS\MVI_1731.avi

---- Directory of C:\WINDOWS\NV1660352.TMP ----

2007-05-31 17:50 90934 --a------ C:\WINDOWS\NV1660352.TMP\nv3d.chm
2007-05-31 17:50 815104 --a------ C:\WINDOWS\NV1660352.TMP\nvcplui.exe
2007-05-31 17:50 79786 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpzhc.hlp
2007-05-31 17:50 76236 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpzht.hlp
2007-05-31 17:50 73728 --a------ C:\WINDOWS\NV1660352.TMP\nvtuicpl.cpl
2007-05-31 17:50 73728 --a------ C:\WINDOWS\NV1660352.TMP\nvcpl.cpl
2007-05-31 17:50 67584 --a------ C:\WINDOWS\NV1660352.TMP\nvhotkey.dll
2007-05-31 17:50 63426 --a------ C:\WINDOWS\NV1660352.TMP\nvwcppl.hlp
2007-05-31 17:50 60795 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpde.hlp
2007-05-31 17:50 60345 --a------ C:\WINDOWS\NV1660352.TMP\nvmobjpn.chm
2007-05-31 17:50 59626 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpfr.hlp
2007-05-31 17:50 59203 --a------ C:\WINDOWS\NV1660352.TMP\nvmobcht.chm
2007-05-31 17:50 59167 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpru.hlp
2007-05-31 17:50 58967 --a------ C:\WINDOWS\NV1660352.TMP\nvmobkor.chm
2007-05-31 17:50 58928 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpptb.hlp
2007-05-31 17:50 58163 --a------ C:\WINDOWS\NV1660352.TMP\nvmobchs.chm
2007-05-31 17:50 57372 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpit.hlp
2007-05-31 17:50 57351 --a------ C:\WINDOWS\NV1660352.TMP\nvmobrus.chm
2007-05-31 17:50 57239 --a------ C:\WINDOWS\NV1660352.TMP\nvmobplk.chm
2007-05-31 17:50 57161 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpes.hlp
2007-05-31 17:50 56039 --a------ C:\WINDOWS\NV1660352.TMP\nvmobita.chm
2007-05-31 17:50 56005 --a------ C:\WINDOWS\NV1660352.TMP\nvmobdeu.chm
2007-05-31 17:50 55656 --a------ C:\WINDOWS\NV1660352.TMP\nvmobptb.chm
2007-05-31 17:50 55619 --a------ C:\WINDOWS\NV1660352.TMP\nvmobesn.chm
2007-05-31 17:50 55607 --a------ C:\WINDOWS\NV1660352.TMP\nvmobfra.chm
2007-05-31 17:50 54994 --a------ C:\WINDOWS\NV1660352.TMP\nvmob.chm
2007-05-31 17:50 53768 --a------ C:\WINDOWS\NV1660352.TMP\default.tvp
2007-05-31 17:50 466944 --a------ C:\WINDOWS\NV1660352.TMP\nvshell.dll
2007-05-31 17:50 45056 --a------ C:\WINDOWS\NV1660352.TMP\nvmccsrs.dll
2007-05-31 17:50 442368 --a------ C:\WINDOWS\NV1660352.TMP\nvappbar.exe
2007-05-31 17:50 425984 --a------ C:\WINDOWS\NV1660352.TMP\keystone.exe
2007-05-31 17:50 335872 --a------ C:\WINDOWS\NV1660352.TMP\nvwrses.dll
2007-05-31 17:50 328082 --a------ C:\WINDOWS\NV1660352.TMP\nvcpja.hlp
2007-05-31 17:50 327680 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsfr.dll
2007-05-31 17:50 323584 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsit.dll
2007-05-31 17:50 319488 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsptb.dll
2007-05-31 17:50 318321 --a------ C:\WINDOWS\NV1660352.TMP\nvcpko.hlp
2007-05-31 17:50 315392 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsru.dll
2007-05-31 17:50 311296 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsde.dll
2007-05-31 17:50 307200 --a------ C:\WINDOWS\NV1660352.TMP\nvexpbar.dll
2007-05-31 17:50 294912 --a------ C:\WINDOWS\NV1660352.TMP\nvwrspl.dll
2007-05-31 17:50 287274 --a------ C:\WINDOWS\NV1660352.TMP\nvcpzhc.hlp
2007-05-31 17:50 282624 --a------ C:\WINDOWS\NV1660352.TMP\nvrsfr.dll
2007-05-31 17:50 282624 --a------ C:\WINDOWS\NV1660352.TMP\nvrses.dll
2007-05-31 17:50 280018 --a------ C:\WINDOWS\NV1660352.TMP\nvcpzht.hlp
2007-05-31 17:50 278528 --a------ C:\WINDOWS\NV1660352.TMP\nvrsit.dll
2007-05-31 17:50 278528 --a------ C:\WINDOWS\NV1660352.TMP\nvrsde.dll
2007-05-31 17:50 266240 --a------ C:\WINDOWS\NV1660352.TMP\nvrsru.dll
2007-05-31 17:50 266240 --a------ C:\WINDOWS\NV1660352.TMP\nvrsptb.dll
2007-05-31 17:50 266240 --a------ C:\WINDOWS\NV1660352.TMP\nvrsja.dll
2007-05-31 17:50 262144 --a------ C:\WINDOWS\NV1660352.TMP\nvrsko.dll
2007-05-31 17:50 253952 --a------ C:\WINDOWS\NV1660352.TMP\nvrspl.dll
2007-05-31 17:50 247456 --a------ C:\WINDOWS\NV1660352.TMP\nvdspjpn.chm
2007-05-31 17:50 227796 --a------ C:\WINDOWS\NV1660352.TMP\nvdspkor.chm
2007-05-31 17:50 225280 --a------ C:\WINDOWS\NV1660352.TMP\nvrszhc.dll
2007-05-31 17:50 222496 --a------ C:\WINDOWS\NV1660352.TMP\nvdspcht.chm
2007-05-31 17:50 219826 --a------ C:\WINDOWS\NV1660352.TMP\nvdspchs.chm
2007-05-31 17:50 212992 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsja.dll
2007-05-31 17:50 210531 --a------ C:\WINDOWS\NV1660352.TMP\nvdsprus.chm
2007-05-31 17:50 210503 --a------ C:\WINDOWS\NV1660352.TMP\nvdspplk.chm
2007-05-31 17:50 203085 --a------ C:\WINDOWS\NV1660352.TMP\nvdspdeu.chm
2007-05-31 17:50 201713 --a------ C:\WINDOWS\NV1660352.TMP\nvdspita.chm
2007-05-31 17:50 199650 --a------ C:\WINDOWS\NV1660352.TMP\nvdspesn.chm
2007-05-31 17:50 196651 --a------ C:\WINDOWS\NV1660352.TMP\nvdspfra.chm
2007-05-31 17:50 196608 --a------ C:\WINDOWS\NV1660352.TMP\nvwrsko.dll
2007-05-31 17:50 195862 --a------ C:\WINDOWS\NV1660352.TMP\nvcppl.hlp
2007-05-31 17:50 195617 --a------ C:\WINDOWS\NV1660352.TMP\nvcpde.hlp
2007-05-31 17:50 195201 --a------ C:\WINDOWS\NV1660352.TMP\nvdspptb.chm
2007-05-31 17:50 191376 --a------ C:\WINDOWS\NV1660352.TMP\nvcpptb.hlp
2007-05-31 17:50 190511 --a------ C:\WINDOWS\NV1660352.TMP\nvcpes.hlp
2007-05-31 17:50 188515 --a------ C:\WINDOWS\NV1660352.TMP\nvcpfr.hlp
2007-05-31 17:50 188461 --a------ C:\WINDOWS\NV1660352.TMP\nvcpru.hlp
2007-05-31 17:50 180006 --a------ C:\WINDOWS\NV1660352.TMP\nvcpit.hlp
2007-05-31 17:50 1703936 --a------ C:\WINDOWS\NV1660352.TMP\nvwdmcpl.dll
2007-05-31 17:50 167936 --a------ C:\WINDOWS\NV1660352.TMP\nvwrszht.dll
2007-05-31 17:50 165373 --a------ C:\WINDOWS\NV1660352.TMP\nvdsp.chm
2007-05-31 17:50 163840 --a------ C:\WINDOWS\NV1660352.TMP\nvwrszhc.dll
2007-05-31 17:50 1626112 --a------ C:\WINDOWS\NV1660352.TMP\nwiz.exe
2007-05-31 17:50 1474560 --a------ C:\WINDOWS\NV1660352.TMP\nview.dll
2007-05-31 17:50 1339392 --a------ C:\WINDOWS\NV1660352.TMP\nvdspsch.exe
2007-05-31 17:50 126284 --a------ C:\WINDOWS\NV1660352.TMP\nvcpljpn.chm
2007-05-31 17:50 124094 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpko.hlp
2007-05-31 17:50 123972 --a------ C:\WINDOWS\NV1660352.TMP\nvcplkor.chm
2007-05-31 17:50 123739 --a------ C:\WINDOWS\NV1660352.TMP\nv3djpn.chm
2007-05-31 17:50 123130 --a------ C:\WINDOWS\NV1660352.TMP\nvcplplk.chm
2007-05-31 17:50 122880 --a------ C:\WINDOWS\NV1660352.TMP\nvrszht.dll
2007-05-31 17:50 122722 --a------ C:\WINDOWS\NV1660352.TMP\nvcplrus.chm
2007-05-31 17:50 122668 --a------ C:\WINDOWS\NV1660352.TMP\nvcpldeu.chm
2007-05-31 17:50 122254 --a------ C:\WINDOWS\NV1660352.TMP\nvcplcht.chm
2007-05-31 17:50 122000 --a------ C:\WINDOWS\NV1660352.TMP\nvcplita.chm
2007-05-31 17:50 121788 --a------ C:\WINDOWS\NV1660352.TMP\nvcplfra.chm
2007-05-31 17:50 121756 --a------ C:\WINDOWS\NV1660352.TMP\nvcplesn.chm
2007-05-31 17:50 121540 --a------ C:\WINDOWS\NV1660352.TMP\nvcplchs.chm
2007-05-31 17:50 120998 --a------ C:\WINDOWS\NV1660352.TMP\nvcplptb.chm
2007-05-31 17:50 117487 --a------ C:\WINDOWS\NV1660352.TMP\nv3dkor.chm
2007-05-31 17:50 115059 --a------ C:\WINDOWS\NV1660352.TMP\nv3dcht.chm
2007-05-31 17:50 112239 --a------ C:\WINDOWS\NV1660352.TMP\nv3dplk.chm
2007-05-31 17:50 111544 --a------ C:\WINDOWS\NV1660352.TMP\nvapps.nvb
2007-05-31 17:50 111520 --a------ C:\WINDOWS\NV1660352.TMP\nv3desn.chm
2007-05-31 17:50 111142 --a------ C:\WINDOWS\NV1660352.TMP\nv3drus.chm
2007-05-31 17:50 110979 --a------ C:\WINDOWS\NV1660352.TMP\nv3dchs.chm
2007-05-31 17:50 109051 --a------ C:\WINDOWS\NV1660352.TMP\nvwcpja.hlp
2007-05-31 17:50 107071 --a------ C:\WINDOWS\NV1660352.TMP\nv3dita.chm
2007-05-31 17:50 107034 --a------ C:\WINDOWS\NV1660352.TMP\nv3ddeu.chm
2007-05-31 17:50 1069056 --a------ C:\WINDOWS\NV1660352.TMP\nvcpluir.dll
2007-05-31 17:50 106325 --a------ C:\WINDOWS\NV1660352.TMP\nvcpl.chm
2007-05-31 17:50 105045 --a------ C:\WINDOWS\NV1660352.TMP\nv3dfra.chm
2007-05-31 17:50 104393 --a------ C:\WINDOWS\NV1660352.TMP\nv3dptb.chm
2007-05-31 17:50 1019904 --a------ C:\WINDOWS\NV1660352.TMP\nvwimg.dll


((((((((((((((((((((((((((((( snapshot_2008-08-25_ 8.06.10.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 13:36:36 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_32c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 23:49 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-31 17:50 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-31 17:50 81920]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 18:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 18:30 974848]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 11:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 12:53 218424]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 16:05 282624]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 13:42 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-11-15 14:28 85744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 17:51 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"nwiz"="nwiz.exe" [2007-05-31 17:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-31 17:50 67584 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 01:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
TrayIt!.lnk - C:\Program Files\TrayIt\TrayIt!.exe [2007-07-18 15:57:00 204800]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-21 21:26:50 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 17:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1111\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1308\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1311\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\rti\\waveworks\\ndds.3.0m\\bin\\i86Win32VC60\\nddsManager.exe"=
"C:\\TCG\\TCM\\Link16EthernetController.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 17:52]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 11:57]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 17:52]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 11:46]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 16:21]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 17:51]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 17:52]
R2 NCS;Numega Control Service;C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE [2001-03-15 03:58]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 19:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 11:55]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 15:01]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 11:18]
S2 Distributed Link Tracking Srv;TrkWsrv;C:\WINDOWS\CKsrv.exe [2008-08-11 21:04]
S2 IntelChip;Intel Chip Group;C:\WINDOWS\system32\hhcmd.exe [2008-08-13 02:24]
S2 MSSQL$MSSQLESMART;SQL Server (MSSQLESMART);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 05:29]
S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 14:32]
S3 EraserUtilDrv10820;EraserUtilDrv10820;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys []
S3 mach5;mach5;C:\WINDOWS\system32\mach5.sys [2001-03-15 04:30]
S3 SbsWdmPcmcia;SBS 1553 PCM2 ASF;C:\WINDOWS\system32\DRIVERS\SbsWdmPcmcia.sys [2005-07-19 18:58]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 19:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 16:31]
S4 AnNDDSManagerService1;AnNDDSManagerService1;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]
S4 AnNDDSManagerServicePlayback;AnNDDSManagerServicePlayback;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
oqckqz REG_MULTI_SZ oqckqz
hqxgoz REG_MULTI_SZ hqxgoz
iscikf REG_MULTI_SZ iscikf

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{527bc658-3d28-11dd-8c4b-006073eec710}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 09:38:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-08-26 9:43:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-26 13:43:19
ComboFix2.txt 2008-08-25 12:06:59
ComboFix3.txt 2008-08-14 17:31:31

Pre-Run: 57,961,750,528 bytes free
Post-Run: 57,923,780,608 bytes free

581 --- E O F --- 2008-08-23 23:28:46


MBAM log

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

10:13:37 AM 8/26/2008
mbam-log-08-26-2008 (10-13-37).txt

Scan type: Quick Scan
Objects scanned: 55907
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:34 AM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\hhcmd.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TrayIt\TrayIt!.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=k3...ea30KBJcWJwZG2U
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\TrayIt!.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://tcgdc/ProjectServer/objects/pjclient.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://tcgdc/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///V:/Service%20Packs/Visual_Studio_60/Platform%20SDK(Feb%202003)/controls/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel Chip Group (IntelChip) - Unknown owner - C:\WINDOWS\system32\hhcmd.exe
O23 - Service: Numega Control Service (NCS) - Compuware Corporation - NuMega Lab - C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12069 bytes

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 26 August 2008 - 12:13 PM

Hi,

You're doing well. :thumbsup: Let's move on.

From the HJT log, You're still running two antivirus simultaneously and haven't updated your Java . Remember to uninstall one and install new Java when you are ready.---->This is important.


Step1

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Folder:: 
C:\temp\NYC SOS
C:\WINDOWS\NV1660352.TMP

Driver::
Distributed Link Tracking Srv

NetSvc::
oqckqz
hqxgoz
iscikf
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

1.Please run HijackThis! and click "Do a system scan only." Place checks next to the following entries,(if present):

O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe

Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Click Start>Run>copy/paste the following in Open box> and Click OK

sc delete "Distributed Link Tracking Srv"

Reboot your pc.


Step3

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step4

Download to the desktop: Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Posted Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.


In your next reply, Please post back:

1.ComboFix.txt
2.DrWeb.csv
3.New HJT log

How is your pc running?

#9 Peter E

Peter E
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 27 August 2008 - 10:23 AM

Wow that DrWeb scan took forever! I had to leave it overnight. I had not upgraded the Java or removed the Norton yet because those versions are required to use my computer at work, but I have made the changes you requested now.

I ran combofix with the script you listed with one exception. The temp/NYC SOS folder was a temp directory containing some personal photos, so I moved those files manually to another computer.

The line "O23 - Service: TrkWsrv (Distributed Link Tracking Srv) - Unknown owner - C:\WINDOWS\CKsrv.exe" was not listed in HijackThis so I did not perform this action.

The computer is running okay right now, a little slow perhaps on startup, but certainly no worse than when we started this. I haven't tried to open IE yet, I plan to wait until we've completed the cleaning in case there is something there that's waiting to re-download itself.


Here are the logs:

ComboFix.txt

ComboFix 08-08-24.02 - Administrator 2008-08-26 23:55:47.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1447 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\NV1660352.TMP
C:\WINDOWS\NV1660352.TMP\default.tvp
C:\WINDOWS\NV1660352.TMP\keystone.exe
C:\WINDOWS\NV1660352.TMP\nv3d.chm
C:\WINDOWS\NV1660352.TMP\nv3dchs.chm
C:\WINDOWS\NV1660352.TMP\nv3dcht.chm
C:\WINDOWS\NV1660352.TMP\nv3ddeu.chm
C:\WINDOWS\NV1660352.TMP\nv3desn.chm
C:\WINDOWS\NV1660352.TMP\nv3dfra.chm
C:\WINDOWS\NV1660352.TMP\nv3dita.chm
C:\WINDOWS\NV1660352.TMP\nv3djpn.chm
C:\WINDOWS\NV1660352.TMP\nv3dkor.chm
C:\WINDOWS\NV1660352.TMP\nv3dplk.chm
C:\WINDOWS\NV1660352.TMP\nv3dptb.chm
C:\WINDOWS\NV1660352.TMP\nv3drus.chm
C:\WINDOWS\NV1660352.TMP\nvappbar.exe
C:\WINDOWS\NV1660352.TMP\nvapps.nvb
C:\WINDOWS\NV1660352.TMP\nvcpde.hlp
C:\WINDOWS\NV1660352.TMP\nvcpes.hlp
C:\WINDOWS\NV1660352.TMP\nvcpfr.hlp
C:\WINDOWS\NV1660352.TMP\nvcpit.hlp
C:\WINDOWS\NV1660352.TMP\nvcpja.hlp
C:\WINDOWS\NV1660352.TMP\nvcpko.hlp
C:\WINDOWS\NV1660352.TMP\nvcpl.chm
C:\WINDOWS\NV1660352.TMP\nvcpl.cpl
C:\WINDOWS\NV1660352.TMP\nvcplchs.chm
C:\WINDOWS\NV1660352.TMP\nvcplcht.chm
C:\WINDOWS\NV1660352.TMP\nvcpldeu.chm
C:\WINDOWS\NV1660352.TMP\nvcplesn.chm
C:\WINDOWS\NV1660352.TMP\nvcplfra.chm
C:\WINDOWS\NV1660352.TMP\nvcplita.chm
C:\WINDOWS\NV1660352.TMP\nvcpljpn.chm
C:\WINDOWS\NV1660352.TMP\nvcplkor.chm
C:\WINDOWS\NV1660352.TMP\nvcplplk.chm
C:\WINDOWS\NV1660352.TMP\nvcplptb.chm
C:\WINDOWS\NV1660352.TMP\nvcplrus.chm
C:\WINDOWS\NV1660352.TMP\nvcplui.exe
C:\WINDOWS\NV1660352.TMP\nvcpluir.dll
C:\WINDOWS\NV1660352.TMP\nvcppl.hlp
C:\WINDOWS\NV1660352.TMP\nvcpptb.hlp
C:\WINDOWS\NV1660352.TMP\nvcpru.hlp
C:\WINDOWS\NV1660352.TMP\nvcpzhc.hlp
C:\WINDOWS\NV1660352.TMP\nvcpzht.hlp
C:\WINDOWS\NV1660352.TMP\nvdsp.chm
C:\WINDOWS\NV1660352.TMP\nvdspchs.chm
C:\WINDOWS\NV1660352.TMP\nvdspcht.chm
C:\WINDOWS\NV1660352.TMP\nvdspdeu.chm
C:\WINDOWS\NV1660352.TMP\nvdspesn.chm
C:\WINDOWS\NV1660352.TMP\nvdspfra.chm
C:\WINDOWS\NV1660352.TMP\nvdspita.chm
C:\WINDOWS\NV1660352.TMP\nvdspjpn.chm
C:\WINDOWS\NV1660352.TMP\nvdspkor.chm
C:\WINDOWS\NV1660352.TMP\nvdspplk.chm
C:\WINDOWS\NV1660352.TMP\nvdspptb.chm
C:\WINDOWS\NV1660352.TMP\nvdsprus.chm
C:\WINDOWS\NV1660352.TMP\nvdspsch.exe
C:\WINDOWS\NV1660352.TMP\nvexpbar.dll
C:\WINDOWS\NV1660352.TMP\nvhotkey.dll
C:\WINDOWS\NV1660352.TMP\nview.dll
C:\WINDOWS\NV1660352.TMP\nvmccsrs.dll
C:\WINDOWS\NV1660352.TMP\nvmob.chm
C:\WINDOWS\NV1660352.TMP\nvmobchs.chm
C:\WINDOWS\NV1660352.TMP\nvmobcht.chm
C:\WINDOWS\NV1660352.TMP\nvmobdeu.chm
C:\WINDOWS\NV1660352.TMP\nvmobesn.chm
C:\WINDOWS\NV1660352.TMP\nvmobfra.chm
C:\WINDOWS\NV1660352.TMP\nvmobita.chm
C:\WINDOWS\NV1660352.TMP\nvmobjpn.chm
C:\WINDOWS\NV1660352.TMP\nvmobkor.chm
C:\WINDOWS\NV1660352.TMP\nvmobplk.chm
C:\WINDOWS\NV1660352.TMP\nvmobptb.chm
C:\WINDOWS\NV1660352.TMP\nvmobrus.chm
C:\WINDOWS\NV1660352.TMP\nvrsde.dll
C:\WINDOWS\NV1660352.TMP\nvrses.dll
C:\WINDOWS\NV1660352.TMP\nvrsfr.dll
C:\WINDOWS\NV1660352.TMP\nvrsit.dll
C:\WINDOWS\NV1660352.TMP\nvrsja.dll
C:\WINDOWS\NV1660352.TMP\nvrsko.dll
C:\WINDOWS\NV1660352.TMP\nvrspl.dll
C:\WINDOWS\NV1660352.TMP\nvrsptb.dll
C:\WINDOWS\NV1660352.TMP\nvrsru.dll
C:\WINDOWS\NV1660352.TMP\nvrszhc.dll
C:\WINDOWS\NV1660352.TMP\nvrszht.dll
C:\WINDOWS\NV1660352.TMP\nvshell.dll
C:\WINDOWS\NV1660352.TMP\nvtuicpl.cpl
C:\WINDOWS\NV1660352.TMP\nvwcpde.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpes.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpfr.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpit.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpja.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpko.hlp
C:\WINDOWS\NV1660352.TMP\nvwcppl.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpptb.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpru.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpzhc.hlp
C:\WINDOWS\NV1660352.TMP\nvwcpzht.hlp
C:\WINDOWS\NV1660352.TMP\nvwdmcpl.dll
C:\WINDOWS\NV1660352.TMP\nvwimg.dll
C:\WINDOWS\NV1660352.TMP\nvwrsde.dll
C:\WINDOWS\NV1660352.TMP\nvwrses.dll
C:\WINDOWS\NV1660352.TMP\nvwrsfr.dll
C:\WINDOWS\NV1660352.TMP\nvwrsit.dll
C:\WINDOWS\NV1660352.TMP\nvwrsja.dll
C:\WINDOWS\NV1660352.TMP\nvwrsko.dll
C:\WINDOWS\NV1660352.TMP\nvwrspl.dll
C:\WINDOWS\NV1660352.TMP\nvwrsptb.dll
C:\WINDOWS\NV1660352.TMP\nvwrsru.dll
C:\WINDOWS\NV1660352.TMP\nvwrszhc.dll
C:\WINDOWS\NV1660352.TMP\nvwrszht.dll
C:\WINDOWS\NV1660352.TMP\nwiz.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DISTRIBUTED_LINK_TRACKING_SRV
-------\Service_Distributed Link Tracking Srv


((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-26 23:49 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-26 23:47 . 2008-08-26 23:47 151,040 --a------ C:\WINDOWS\system32\ctfmons.exe
2008-08-26 23:41 . 2008-08-26 23:41 262,144 --a------ C:\Documents and Settings\DR81AD~1.TCG
2008-08-17 17:28 . 2008-08-17 17:28 <DIR> d-------- C:\Program Files\ISO Recorder
2008-08-16 18:20 . 2008-08-17 17:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfraRecorder
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Program Files\CDRTools
2008-08-16 10:40 . 2008-08-16 10:40 <DIR> d-------- C:\Deckard
2008-08-15 13:39 . 2008-08-15 13:39 66,048 --a------ C:\mbr.exe
2008-08-15 08:32 . 2008-08-27 00:02 6,678,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-15 08:32 . 2008-08-27 00:02 81,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-15 08:28 . 2008-08-15 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-15 08:28 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-15 08:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-15 08:28 . 2008-08-15 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-15 08:27 . 2008-08-15 08:27 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-15 08:24 . 2008-08-27 00:06 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-15 00:38 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-14 18:03 . 2008-08-26 23:47 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 17:52 . 2008-08-26 23:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 17:52 . 2008-08-14 17:52 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 17:52 . 2008-08-14 17:52 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Program Files\AVG
2008-08-14 17:51 . 2008-08-26 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 17:49 . 2008-08-14 17:52 8,192 --a------ C:\Documents and Settings\DREWPI~4.TCG
2008-08-14 17:48 . 2008-08-14 17:48 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 17:10 . 2008-08-14 17:10 262,144 --a------ C:\Documents and Settings\DREWPI~3.TCG
2008-08-14 15:08 . 2004-08-04 06:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-14 15:07 . 2004-08-04 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-08-14 11:01 . 2008-08-26 10:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 11:01 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 00:39 . 2008-08-14 06:49 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 16:59 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-13 16:44 . 2004-08-04 06:00 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2008-08-13 12:33 . 2008-08-13 12:33 <DIR> d-------- C:\WINDOWS\dell
2008-08-13 11:58 . 2008-08-13 11:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-13 11:52 . 2008-08-15 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-13 10:49 . 2008-08-13 11:48 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-13 10:42 . 2008-08-13 10:42 262,144 --a------ C:\Documents and Settings\DREWPI~2.TCG
2008-08-13 10:36 . 2008-08-13 10:36 262,144 --a------ C:\Documents and Settings\DREWPI~1.TCG
2008-08-13 09:29 . 2008-08-13 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 02:21 . 2008-08-13 02:24 692,224 --ahs---- C:\WINDOWS\system32\hhcmd.exe
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 21:45 . 2008-08-11 21:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-11 21:45 . 2008-08-11 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 21:05 . 2008-08-12 13:45 188 --a------ C:\WINDOWS\system32\pagefiles.sys
2008-08-11 21:04 . 2008-08-14 13:22 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-11 21:04 . 2008-08-11 21:04 384,512 --ah----- C:\WINDOWS\CKsrv.exe
2008-08-08 18:54 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-08 18:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-08 18:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-06 10:23 . 2004-08-03 23:04 30,080 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2008-08-06 10:23 . 2004-08-03 23:04 12,672 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-31 21:22 . 2008-07-31 21:22 724,984 --a------ C:\Documents and Settings\Administrator\gotomypc_437.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 04:06 795,977 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-27 03:49 --------- d-----w C:\Program Files\Java
2008-08-27 03:44 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-27 03:44 --------- d-----w C:\Program Files\Symantec
2008-08-27 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 19:21 --------- d-----w C:\Program Files\UnRar
2008-08-12 01:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 14:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-27 22:08 --------- d-----w C:\Program Files\Diablo II
2008-07-24 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bioshock
2008-07-24 14:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-24 14:25 --------- d-----w C:\Program Files\BioShock
2008-07-24 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 14:19 --------- d-----w C:\Program Files\VirtualCD
2008-07-24 13:57 --------- d-----w C:\Program Files\GnuWin32
2008-07-22 00:59 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-22 00:59 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-07-21 23:43 --------- d-----w C:\Program Files\Warcraft2
2008-07-21 21:53 --------- d-----w C:\Program Files\uTorrent
2008-07-18 16:36 --------- d-----w C:\Program Files\DVDt
2008-07-18 16:36 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-15 17:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Trimble Navigation
2008-07-15 13:52 --------- d-----w C:\Program Files\World of Warcraft
2008-03-14 22:11 17,144 ----a-w C:\Documents and Settings\drew pierce\Application Data\GDIPFONTCACHEV1.DAT
2008-02-13 17:01 17,144 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-08-25_ 8.06.10.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 17:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 17:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 19:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-08-27 04:06:58 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 23:49 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-31 17:50 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-31 17:50 81920]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 18:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 18:30 974848]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 11:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 12:53 218424]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 16:05 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 17:51 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2007-05-31 17:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-31 17:50 67584 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 01:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
TrayIt!.lnk - C:\Program Files\TrayIt\TrayIt!.exe [2007-07-18 15:57:00 204800]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-21 21:26:50 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 17:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1111\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1308\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1311\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\rti\\waveworks\\ndds.3.0m\\bin\\i86Win32VC60\\nddsManager.exe"=
"C:\\TCG\\TCM\\Link16EthernetController.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 17:52]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 11:57]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 17:52]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 11:46]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 16:21]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 17:51]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 17:52]
R2 NCS;Numega Control Service;C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE [2001-03-15 03:58]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 19:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 11:55]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 15:01]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 11:18]
S2 IntelChip;Intel Chip Group;C:\WINDOWS\system32\hhcmd.exe [2008-08-13 02:24]
S2 MSSQL$MSSQLESMART;SQL Server (MSSQLESMART);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 05:29]
S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 14:32]
S3 EraserUtilDrv10820;EraserUtilDrv10820;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys []
S3 mach5;mach5;C:\WINDOWS\system32\mach5.sys [2001-03-15 04:30]
S3 SbsWdmPcmcia;SBS 1553 PCM2 ASF;C:\WINDOWS\system32\DRIVERS\SbsWdmPcmcia.sys [2005-07-19 18:58]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 19:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 16:31]
S4 AnNDDSManagerService1;AnNDDSManagerService1;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]
S4 AnNDDSManagerServicePlayback;AnNDDSManagerServicePlayback;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
oqckqz REG_MULTI_SZ oqckqz
hqxgoz REG_MULTI_SZ hqxgoz
iscikf REG_MULTI_SZ iscikf

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{527bc658-3d28-11dd-8c4b-006073eec710}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 00:08:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-08-27 0:13:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 04:13:20
ComboFix2.txt 2008-08-26 13:43:30
ComboFix3.txt 2008-08-25 12:06:59
ComboFix4.txt 2008-08-14 17:31:31

Pre-Run: 58,773,172,224 bytes free
Post-Run: 58,877,378,560 bytes free

385 --- E O F --- 2008-08-23 23:28:46


DrWeb.csv (I did not have it delete the system restore stuff)

ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;;
A0003868.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP17;Program.PsExec.170;;
A0004883.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18;Program.PsExec.170;;
A0004904.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP18;Program.PsExec.170;;
A0006292.EXE;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP21;Program.PsExec.170;;
CKsrv.exe;C:\WINDOWS;BackDoor.Pigeon.14016;Deleted.;



HijackThis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:50 AM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\hhcmd.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TrayIt\TrayIt!.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=k3...ea30KBJcWJwZG2U
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\TrayIt!.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://tcgdc/ProjectServer/objects/pjclient.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://tcgdc/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///V:/Service%20Packs/Visual_Studio_60/Platform%20SDK(Feb%202003)/controls/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel Chip Group (IntelChip) - Unknown owner - C:\WINDOWS\system32\hhcmd.exe
O23 - Service: Numega Control Service (NCS) - Compuware Corporation - NuMega Lab - C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10709 bytes

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 27 August 2008 - 11:11 AM

Hi,

You are not clean yet; I will get back to you. thanks.

Edited by sundavis, 27 August 2008 - 11:18 AM.


#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 27 August 2008 - 12:26 PM

Hi,

We are almost there, but not yet. The files in System Volume Information we can deal with that in the end.
Please be patient and follow the instruction below. Thanks.


Step1.

Back up the whole registry with ERUNT
  • Please go to Aumha.org and scroll down to ERUNT downloading it to your desktop.
  • For version with the Installer:
  • Use the setup program to install ERUNT on your computer
  • For the zipped version:
  • Unzip all the files into a folder of your choice.
  • Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe



Step2.

A.
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqckqz]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hqxgoz]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iscikf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"oqckqz"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"hqxgoz"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"iscikf"=-

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Name the file as fix.reg, making sure save as type is set to " All Files ". It should look like Posted Image
Double click it and an information box will pop up asking if you want to merge the information in the file into the registry, click yes.


B.
Goto Start Menu > Search > Click All Files and Folders,
scroll down to the Advanced Options which is the last option,
click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Press Search one by one (If found)

oqckqz.dll
hqxgoz.dll
iscikf.dll
0004c558.INI

and delete any that are found by right clicking the file in the results pane to the right and choosing delete.



Step3
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
NetSvc::
oqckqz
hqxgoz
iscikf


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step4

Please download F-Secure Blacklight and save it to C drive.
  • Click on Start > Run and copy and paste in the following:
  • C:\fsbl.exe /expert.
  • Click OK.
  • You will be shown a license agreement. Read through it and select I accept the agreement. Click Next.
  • Click on Scan.
  • Once the scan is done, close F-Secure Blacklight. Don't rename anything found!
  • A log will be produced on your C drive. It's named fsbl-XXXXXXXXXXXXXX.log, where the XXXXXXXXXXXXXX are numbers. Please post this log in your next reply along with a new HijackThis log.

In your next reply, Please post back:

1.ComboFix.txt
2.Blacklight
3.New HJT log.

Tell me how things are going now.

#12 Peter E

Peter E
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 27 August 2008 - 01:25 PM

Hi, thanks for the quick replies. I'm 100% patient here, not to worry. I consider myself very lucky to have your support and cannot than you enough. I am also learning through this process which is actually very enjoyable for me.

Now, with that said...

Every time I run ComboFix.exe I get fatal error in hhcmd.exe, which I dismiss and ZoneAlarm picks up ping.exe trying to access the internet, which I allow. I'm not sure if this is related to what I've got on my system or a side effect of some of the cleaning we've done. ComboFix appears to run okay though, and reboot my computer successfully... all that.

None of the files you asked me to sear

Here are the logs.

ComboFix.txt

ComboFix 08-08-24.02 - Administrator 2008-08-27 13:50:28.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1098 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-27 13:39 . 2008-08-27 13:39 1,018,520 --a------ C:\fsbl.exe
2008-08-26 23:49 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-26 23:41 . 2008-08-26 23:41 262,144 --a------ C:\Documents and Settings\DR81AD~1.TCG
2008-08-17 17:28 . 2008-08-17 17:28 <DIR> d-------- C:\Program Files\ISO Recorder
2008-08-16 18:20 . 2008-08-17 17:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InfraRecorder
2008-08-16 18:02 . 2008-08-16 18:02 <DIR> d-------- C:\Program Files\CDRTools
2008-08-16 10:40 . 2008-08-16 10:40 <DIR> d-------- C:\Deckard
2008-08-15 13:39 . 2008-08-15 13:39 66,048 --a------ C:\mbr.exe
2008-08-15 08:32 . 2008-08-27 13:54 6,678,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-15 08:32 . 2008-08-27 13:54 86,528 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-15 08:28 . 2008-08-15 08:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-15 08:28 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-15 08:28 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-15 08:28 . 2008-08-15 08:30 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-15 08:27 . 2008-08-15 08:27 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-15 08:24 . 2008-08-27 09:09 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-15 00:38 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-14 18:03 . 2008-08-27 02:37 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-14 17:52 . 2008-08-27 08:49 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-14 17:52 . 2008-08-14 17:52 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-14 17:52 . 2008-08-14 17:52 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-08-14 17:52 . 2008-08-14 17:52 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-14 17:51 . 2008-08-14 17:51 <DIR> d-------- C:\Program Files\AVG
2008-08-14 17:51 . 2008-08-26 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-14 17:49 . 2008-08-14 17:52 8,192 --a------ C:\Documents and Settings\DREWPI~4.TCG
2008-08-14 17:48 . 2008-08-14 17:48 <DIR> d-------- C:\Program Files\Panda Security
2008-08-14 17:10 . 2008-08-14 17:10 262,144 --a------ C:\Documents and Settings\DREWPI~3.TCG
2008-08-14 15:08 . 2004-08-04 06:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-08-14 15:07 . 2004-08-04 06:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-14 15:01 . 2008-08-14 15:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-08-14 14:23 . 2004-08-04 06:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-08-14 11:01 . 2008-08-26 10:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-08-14 11:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-14 11:01 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 11:01 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 00:39 . 2008-08-14 06:49 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-08-13 16:59 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-08-13 16:44 . 2004-08-04 06:00 7,334 --a--c--- C:\WINDOWS\system32\dllcache\wmerrenu.cat
2008-08-13 12:33 . 2008-08-13 12:33 <DIR> d-------- C:\WINDOWS\dell
2008-08-13 11:58 . 2008-08-13 11:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-13 11:52 . 2008-08-15 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-13 10:49 . 2008-08-13 11:48 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-13 10:42 . 2008-08-13 10:42 262,144 --a------ C:\Documents and Settings\DREWPI~2.TCG
2008-08-13 10:36 . 2008-08-13 10:36 262,144 --a------ C:\Documents and Settings\DREWPI~1.TCG
2008-08-13 09:29 . 2008-08-13 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 02:21 . 2008-08-13 02:24 692,224 --ahs---- C:\WINDOWS\system32\hhcmd.exe
2008-08-13 00:33 . 2008-08-13 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 21:45 . 2008-08-11 21:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-11 21:45 . 2008-08-11 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-11 21:05 . 2008-08-12 13:45 188 --a------ C:\WINDOWS\system32\pagefiles.sys
2008-08-11 21:04 . 2008-08-14 13:22 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-08 18:54 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-08 18:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-08 18:54 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-08-06 10:23 . 2004-08-03 23:04 30,080 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2008-08-06 10:23 . 2004-08-03 23:04 12,672 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-31 21:22 . 2008-07-31 21:22 724,984 --a------ C:\Documents and Settings\Administrator\gotomypc_437.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 04:06 795,977 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-27 03:49 --------- d-----w C:\Program Files\Java
2008-08-27 03:44 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-08-27 03:44 --------- d-----w C:\Program Files\Symantec
2008-08-27 03:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-27 03:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-16 19:21 --------- d-----w C:\Program Files\UnRar
2008-08-12 01:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-06 14:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-27 22:08 --------- d-----w C:\Program Files\Diablo II
2008-07-24 21:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bioshock
2008-07-24 14:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-24 14:25 --------- d-----w C:\Program Files\BioShock
2008-07-24 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 14:19 --------- d-----w C:\Program Files\VirtualCD
2008-07-24 13:57 --------- d-----w C:\Program Files\GnuWin32
2008-07-22 01:08 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-07-22 01:08 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-07-22 01:08 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-07-22 00:59 94,208 ----a-w C:\WINDOWS\DIIUnin.exe
2008-07-22 00:59 2,829 ----a-w C:\WINDOWS\DIIUnin.pif
2008-07-21 23:43 --------- d-----w C:\Program Files\Warcraft2
2008-07-21 21:53 --------- d-----w C:\Program Files\uTorrent
2008-07-18 16:36 --------- d-----w C:\Program Files\DVDt
2008-07-18 16:36 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-07-15 17:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Trimble Navigation
2008-07-15 13:52 --------- d-----w C:\Program Files\World of Warcraft
2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-14 22:11 17,144 ----a-w C:\Documents and Settings\drew pierce\Application Data\GDIPFONTCACHEV1.DAT
2008-02-13 17:01 17,144 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-08-25_ 8.06.10.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\erdnt\8-27-2008\ERDNT.EXE
+ 2008-08-27 17:35:44 233,472 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000001\NTUSER.DAT
+ 2008-08-27 17:35:44 8,192 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000002\UsrClass.dat
+ 2008-08-27 17:35:44 233,472 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000003\NTUSER.DAT
+ 2008-08-27 17:35:44 8,192 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000004\UsrClass.dat
+ 2008-08-27 17:35:44 4,423,680 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000005\NTUSER.DAT
+ 2008-08-27 17:35:44 184,320 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000006\UsrClass.dat
+ 2008-08-27 17:35:45 548,864 ----a-w C:\WINDOWS\erdnt\8-27-2008\Users\00000007\NTUSER.DAT
- 2005-11-10 17:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 17:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 19:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-08-27 17:55:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_558.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-04-15 23:49 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-31 17:50 8429568]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-31 17:50 81920]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 18:32 823296]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 18:30 974848]
"WavXMgr"="C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 11:55 92160]
"SecureUpgrade"="C:\Program Files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 12:53 218424]
"KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [2006-11-02 16:05 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-14 17:51 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2007-05-31 17:50 1626112 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-05-31 17:50 67584 C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 01:26 303104 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
TrayIt!.lnk - C:\Program Files\TrayIt\TrayIt!.exe [2007-07-18 15:57:00 204800]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-01-21 21:26:50 50688]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 17:20 73728 C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1111\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1308\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667439168-2370445097-3441234575-1311\Scripts\Logon\0\0]
"Script"=User_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"C:\\rti\\waveworks\\ndds.3.0m\\bin\\i86Win32VC60\\nddsManager.exe"=
"C:\\TCG\\TCM\\Link16EthernetController.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-14 17:52]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2007-09-07 11:57]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-14 17:52]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 11:46]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 16:21]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-14 17:51]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-14 17:52]
R2 NCS;Numega Control Service;C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE [2001-03-15 03:58]
R2 TdmService;TdmService;C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 19:29]
R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2004-08-04 06:00]
R2 WavxDMgr;WavxDMgr;C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 11:55]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 15:01]
R3 WaveFDE;Wave System Power Monitor Device Driver;C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 11:18]
S2 IntelChip;Intel Chip Group;C:\WINDOWS\system32\hhcmd.exe [2008-08-13 02:24]
S2 MSSQL$MSSQLESMART;SQL Server (MSSQLESMART);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 05:29]
S3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 14:32]
S3 EraserUtilDrv10820;EraserUtilDrv10820;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10820.sys []
S3 mach5;mach5;C:\WINDOWS\system32\mach5.sys [2001-03-15 04:30]
S3 SbsWdmPcmcia;SBS 1553 PCM2 ASF;C:\WINDOWS\system32\DRIVERS\SbsWdmPcmcia.sys [2005-07-19 18:58]
S3 SecureStorageService;SecureStorageService;C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 19:39]
S3 WaveEnrollmentService;WaveEnrollmentService;C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 16:31]
S4 AnNDDSManagerService1;AnNDDSManagerService1;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]
S4 AnNDDSManagerServicePlayback;AnNDDSManagerServicePlayback;C:\TCG\TCM\srvany.exe [1998-11-22 08:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{527bc658-3d28-11dd-8c4b-006073eec710}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 13:57:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\stacsv.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\msdtc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-08-27 14:02:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 18:02:45
ComboFix2.txt 2008-08-27 04:13:30
ComboFix3.txt 2008-08-26 13:43:30
ComboFix4.txt 2008-08-25 12:06:59
ComboFix5.txt 2008-08-27 17:49:54

Pre-Run: 58,858,463,232 bytes free
Post-Run: 58,764,242,944 bytes free

274 --- E O F --- 2008-08-23 23:28:46


Blacklist log (no rootkits found):

08/27/08 14:04:41 [Info]: BlackLight Engine 1.0.70 initialized
08/27/08 14:04:41 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/27/08 14:04:41 [Note]: 7019 4
08/27/08 14:04:41 [Note]: 7005 0
08/27/08 14:04:47 [Note]: 7006 0
08/27/08 14:04:47 [Note]: 7011 1856
08/27/08 14:04:47 [Note]: 7035 0
08/27/08 14:04:47 [Note]: 7026 0
08/27/08 14:04:47 [Note]: 7026 0
08/27/08 14:04:54 [Note]: FSRAW library version 1.7.1024
08/27/08 14:13:39 [Note]: 7007 0


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:16 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\TrayIt\TrayIt!.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=k3...ea30KBJcWJwZG2U
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\TrayIt!.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://tcgdc/ProjectServer/objects/pjclient.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://tcgdc/ProjectServer/objects/1033/pjcintl.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///V:/Service%20Packs/Visual_Studio_60/Platform%20SDK(Feb%202003)/controls/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\Software\..\Telephony: DomainName = Tactical-Communications-Group.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Tactical-Communications-Group.com
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: Intel Chip Group (IntelChip) - Unknown owner - C:\WINDOWS\system32\hhcmd.exe
O23 - Service: Numega Control Service (NCS) - Compuware Corporation - NuMega Lab - C:\PROGRA~1\COMPUW~1\PCShared\NCS.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10776 bytes

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 28 August 2008 - 03:37 AM

Hi,

You are doing well. :thumbsup: Let's do the final check if you have any file infected.

Ping.exe is a process which belongs to the Microsoft Windows operating system and provides basic network testing functions for your LAN or the Internet.
I think it's fine to let it go. but the hhcmd.exe error while you're running CF is interesting to me. China Malware likes to exploit that file to do something bad. Let's check it out.



Step1

Please go toJotti's Scan or Virus Total for scanning one suspicious file.
Copy /paste the below files path into the text box next to the Browse button at the top of the page

C:\WINDOWS\system32\hhcmd.exe

Click the Submit or Send File button and copy "Scanner results", and paste the contents into your next reply.

During the scanning, Please focus on MD5 value and file size. Copy and Paste in your next reply.



Step2

Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
Or you can refer to this thread for your reference.


In your next reply, Please post back:

1.Jott's Scan report.
2.KAS Scan report.
3.New HJT log.

How is your pc running now?

#14 Peter E

Peter E
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 28 August 2008 - 08:26 AM

Good morning. I'm glad that the logs are looking better. I suspected something was up with that file... I ran the Jotti scan on hhcmd.exe and here are the results.

Service load:
0% 100%
File: hhcmd.exe
Status:
INFECTED/MALWARE
MD5: caaf536882f0625925ce77bccf56024f
Packers detected:
-
Scanner results
Scan taken on 28 Aug 2008 13:14:36 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/WinterLove.Y.1
ArcaVir
Found Trojan.Winterlove.Cs
Avast
Found Win32:Haxdoor-DG
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Virus.Win32.Haxdoor.DG
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Embedded.Backdoor.Win32.WinterLove.dk (probable variant)

also, as soon as I loaded up the kaspersky webpage, AVG realtime scanner showed two alerts. I have included the CSV below.

"Trojan horse BackDoor.Generic9.AXIG";"C:\WINDOWS\system32\HtmlPeek.dll";"Moved to Virus Vault";"8/28/2008, 9:18:19 AM";"file";"C:\WINDOWS\system32\hhcmd.exe"
"Trojan horse BackDoor.Generic10.BQB";"C:\WINDOWS\System32\dnssvr.dll";"Moved to Virus Vault";"8/28/2008, 9:18:21 AM";"file";"C:\WINDOWS\system32\rundll32.exe"

then an error popped up,
Title: RUNDLL
Icon: stop
Text: Error loading c:\windows\system32\dnssvr.dll Access is denied.

I am running the kaspersky scan now and will include that log shortly. I just thought this was an important event so I should reply right away.

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:30 AM

Posted 28 August 2008 - 11:03 AM

Thanks for the info. Please post KAS report and i will get you next proposed fix. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users