Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
21 replies to this topic

#1 nmcbank

nmcbank

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 08 September 2008 - 04:53 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:57 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MsgPopupEN\MsgPopup.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
O:\oms_gmw\oms_gmw\oms_gmw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MsgPopup.lnk = C:\Program Files\MsgPopupEN\MsgPopup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: (no name) - http://media1.santabanta.com/full1/Spiritu...numan/lor9v.jpg
O24 - Desktop Component 2: My Price Electronics - http://www.mypriceelectronics.com/

--
End of file - 8309 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 18 September 2008 - 03:53 PM

Hello nmcbank,

What program is finding Virtuemonde?


You have a file we need to check.

You will need to see hidden files, so follow these directions:
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

O:\oms_gmw\oms_gmw\oms_gmw.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

**************



Please disable Norton Antivirus before running Kaspersky Online Scanner.

To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.

Please do a scan with Kaspersky Online Scanner


Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
  • **************
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized). info.txt can also be found at c:\RSIT\info.txt

Edited by SifuMike, 19 September 2008 - 12:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 19 September 2008 - 12:44 AM

SifuMike,
the file you have question about is my accounting system and I don't think it has any problem.
I am mapping to other computer as O and connecting to my accounting system.
O:\oms_gmw\oms_gmw\oms_gmw.exe

My sytem does starts up normally but it runs very sluggish.
I just saw your message so, I will in the morning follow up with your instructions and post the logs accordingly.

Thank you for the reply.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 19 September 2008 - 12:06 PM

nmcbank,

Sounds good. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 22 September 2008 - 04:57 PM

Sorry for the delay, but my computer keep hanging up after scanning . So finally I got the image of scan result saved as image and is attached here with.
Also the logs are as below.
Logfile of random's system information tool 1.02 (written by random/random)
Run by Shah at 2008-09-22 14:49:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 24 GB (63%) free of 38 GB
Total RAM: 703 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:52 PM, on 9/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\explorer.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MsgPopupEN\MsgPopup.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shah\Desktop\Shah\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Shah.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MsgPopup.lnk = C:\Program Files\MsgPopupEN\MsgPopup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: (no name) - http://media1.santabanta.com/full1/Spiritu...numan/lor9v.jpg
O24 - Desktop Component 2: My Price Electronics - http://www.mypriceelectronics.com/

--
End of file - 8084 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Shah.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-12-06 2554944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll [2008-08-28 651760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-12-06 2554944]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-09-16 69632]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2007-01-09 115816]
"osCheck"=C:\Program Files\Norton AntiVirus\osCheck.exe [2006-09-05 26248]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-12-06 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MsgPopup.lnk - C:\Program Files\MsgPopupEN\MsgPopup.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MsgPopupEN\MsgPopup.exe"="C:\Program Files\MsgPopupEN\MsgPopup.exe:*:Enabled:MsgPopup"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Intuit\QuickBooks Pro\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks Pro\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c75e84f-ea3f-11d9-8bb9-806d6172696f}]
shell\AutoRun\command - D:\Autorun.exe


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-09-22 14:49:45 ----D---- C:\rsit
2008-09-10 16:43:04 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-10 16:42:48 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2008-09-08 13:03:41 ----D---- C:\Program Files\Trend Micro
2008-09-04 14:07:37 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-09-04 13:55:47 ----D---- C:\Program Files\MSBuild
2008-09-04 13:25:44 ----D---- C:\autoruns
2008-09-04 12:29:17 ----A---- C:\WINDOWS\system32\wmpns.dll
2008-09-04 12:27:41 ----D---- C:\WINDOWS\Prefetch
2008-09-04 12:24:07 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-04 12:23:59 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-04 12:23:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-04 12:23:44 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-04 12:23:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-04 12:23:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-09-04 12:23:22 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-04 12:23:15 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-04 12:23:08 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-04 12:22:59 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-04 12:20:28 ----A---- C:\WINDOWS\setuplog.txt
2008-09-04 12:19:19 ----D---- C:\WINDOWS\system32\scripting
2008-09-04 12:19:19 ----D---- C:\WINDOWS\l2schemas
2008-09-04 12:19:18 ----D---- C:\WINDOWS\system32\en
2008-09-04 12:19:17 ----D---- C:\WINDOWS\system32\bits
2008-09-04 12:16:18 ----D---- C:\WINDOWS\ServicePackFiles
2008-09-04 12:10:33 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-09-04 12:10:27 ----D---- C:\WINDOWS\EHome
2008-09-04 12:02:46 ----N---- C:\WINDOWS\system32\wmphoto.dll
2008-09-04 12:02:44 ----N---- C:\WINDOWS\system32\wlanapi.dll
2008-09-04 12:02:41 ----N---- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-04 12:02:41 ----N---- C:\WINDOWS\system32\windowscodecs.dll
2008-09-04 12:02:31 ----N---- C:\WINDOWS\system32\tspkg.dll
2008-09-04 12:02:31 ----N---- C:\WINDOWS\system32\tsgqec.dll
2008-09-04 12:02:24 ----N---- C:\WINDOWS\system32\spupdwxp.exe
2008-09-04 12:02:22 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2008-09-04 12:02:21 ----N---- C:\WINDOWS\system32\slserv.exe
2008-09-04 12:02:21 ----N---- C:\WINDOWS\system32\slrundll.exe
2008-09-04 12:02:21 ----N---- C:\WINDOWS\slrundll.exe
2008-09-04 12:02:20 ----N---- C:\WINDOWS\system32\slgen.dll
2008-09-04 12:02:20 ----N---- C:\WINDOWS\system32\slextspk.dll
2008-09-04 12:02:20 ----N---- C:\WINDOWS\system32\slcoinst.dll
2008-09-04 12:02:17 ----N---- C:\WINDOWS\system32\setupn.exe
2008-09-04 12:02:14 ----N---- C:\WINDOWS\system32\s3gnb.dll
2008-09-04 12:02:12 ----N---- C:\WINDOWS\system32\rhttpaa.dll
2008-09-04 12:02:10 ----N---- C:\WINDOWS\system32\rasqec.dll
2008-09-04 12:02:10 ----N---- C:\WINDOWS\system32\qutil.dll
2008-09-04 12:02:07 ----N---- C:\WINDOWS\system32\qcliprov.dll
2008-09-04 12:02:07 ----N---- C:\WINDOWS\system32\qagentrt.dll
2008-09-04 12:02:07 ----N---- C:\WINDOWS\system32\qagent.dll
2008-09-04 12:02:06 ----N---- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-04 12:02:03 ----N---- C:\WINDOWS\system32\onex.dll
2008-09-04 12:01:59 ----N---- C:\WINDOWS\system32\nv4_disp.dll
2008-09-04 12:01:52 ----N---- C:\WINDOWS\system32\napstat.exe
2008-09-04 12:01:52 ----N---- C:\WINDOWS\system32\napmontr.dll
2008-09-04 12:01:52 ----N---- C:\WINDOWS\system32\napipsec.dll
2008-09-04 12:01:51 ----N---- C:\WINDOWS\system32\mtxparhd.dll
2008-09-04 12:01:51 ----A---- C:\WINDOWS\system32\msxml6r.dll
2008-09-04 12:01:48 ----N---- C:\WINDOWS\system32\msshavmsg.dll
2008-09-04 12:01:48 ----N---- C:\WINDOWS\system32\mssha.dll
2008-09-04 12:01:32 ----N---- C:\WINDOWS\system32\mmcperf.exe
2008-09-04 12:01:31 ----N---- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-04 12:01:31 ----N---- C:\WINDOWS\system32\mmcex.dll
2008-09-04 12:01:31 ----N---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-09-04 12:01:28 ----N---- C:\WINDOWS\system32\mdmxsdk.dll
2008-09-04 12:01:16 ----N---- C:\WINDOWS\system32\l2gpstore.dll
2008-09-04 12:01:16 ----N---- C:\WINDOWS\system32\kmsvc.dll
2008-09-04 12:01:15 ----N---- C:\WINDOWS\system32\kbdpash.dll
2008-09-04 12:01:15 ----N---- C:\WINDOWS\system32\kbdnepr.dll
2008-09-04 12:01:15 ----N---- C:\WINDOWS\system32\kbdiultn.dll
2008-09-04 12:01:15 ----N---- C:\WINDOWS\system32\kbdbhc.dll
2008-09-04 12:01:03 ----N---- C:\WINDOWS\system32\hsfcisp2.dll
2008-09-04 12:00:57 ----N---- C:\WINDOWS\system32\faxpatch.exe
2008-09-04 12:00:57 ----A---- C:\WINDOWS\002803_.tmp
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eapsvc.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eapqec.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eappprxy.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eapphost.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eappgnui.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eappcfg.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eapp3hst.dll
2008-09-04 12:00:55 ----N---- C:\WINDOWS\system32\eapolqec.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3ui.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3svc.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3msm.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3dlg.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3cfg.dll
2008-09-04 12:00:50 ----N---- C:\WINDOWS\system32\dot3api.dll
2008-09-04 12:00:49 ----N---- C:\WINDOWS\system32\dimsroam.dll
2008-09-04 12:00:49 ----N---- C:\WINDOWS\system32\dimsntfy.dll
2008-09-04 12:00:48 ----N---- C:\WINDOWS\system32\dhcpqec.dll
2008-09-04 12:00:45 ----N---- C:\WINDOWS\system32\credssp.dll
2008-09-04 12:00:39 ----N---- C:\WINDOWS\system32\bitsprx4.dll
2008-09-04 12:00:39 ----N---- C:\WINDOWS\system32\azroles.dll
2008-09-04 12:00:38 ----N---- C:\WINDOWS\system32\ativvaxx.dll
2008-09-04 12:00:38 ----N---- C:\WINDOWS\system32\ativtmxx.dll
2008-09-04 12:00:37 ----N---- C:\WINDOWS\system32\ati3duag.dll
2008-09-04 12:00:37 ----N---- C:\WINDOWS\system32\ati3d1ag.dll
2008-09-04 12:00:37 ----N---- C:\WINDOWS\system32\ati2dvag.dll
2008-09-04 12:00:37 ----N---- C:\WINDOWS\system32\ati2dvaa.dll
2008-09-04 12:00:36 ----N---- C:\WINDOWS\system32\ati2cqag.dll
2008-09-04 12:00:29 ----N---- C:\WINDOWS\system32\aaclient.dll
2008-09-04 11:28:46 ----D---- C:\WINDOWS\Minidump
2008-09-03 14:06:19 ----D---- C:\Documents and Settings\Shah\Application Data\Malwarebytes
2008-09-03 14:06:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 14:06:14 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 18:47:37 ----SH---- C:\WINDOWS\system32\cxogqqcl.ini
2008-09-01 18:43:18 ----A---- C:\WINDOWS\system32\kspusuoh.dll
2008-08-28 18:23:43 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 18:23:20 ----D---- C:\Program Files\Spyware Doctor
2008-08-28 18:23:20 ----D---- C:\Documents and Settings\Shah\Application Data\PC Tools
2008-08-28 17:39:37 ----SH---- C:\WINDOWS\system32\hkemorps.ini
2008-08-28 17:26:51 ----D---- C:\VundoFix Backups
2008-08-28 17:26:51 ----A---- C:\VundoFix.txt
2008-08-28 15:38:51 ----D---- C:\WINDOWS\pss
2008-08-28 15:36:59 ----A---- C:\WINDOWS\ntbtlog.txt
2008-08-28 15:09:43 ----SH---- C:\WINDOWS\system32\blxsxvai.ini
2008-08-28 11:38:23 ----D---- C:\Program Files\Lavasoft
2008-08-28 11:38:22 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 11:37:39 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-27 15:10:21 ----SH---- C:\WINDOWS\system32\dxbfllhi.ini
2008-08-26 15:08:18 ----SH---- C:\WINDOWS\system32\bwtldiud.ini
2008-08-26 15:05:41 ----A---- C:\WINDOWS\system32\ikajkcvl.dll
2008-08-25 15:06:45 ----SH---- C:\WINDOWS\system32\bkxcqbkb.ini
2008-08-25 15:06:33 ----A---- C:\WINDOWS\system32\kejuwgwd.dll
2008-08-24 15:12:32 ----D---- C:\WINDOWS\Sun
2008-08-24 15:12:32 ----D---- C:\Documents and Settings\Shah\Application Data\Sun
2008-08-24 15:12:03 ----A---- C:\WINDOWS\system32\javaws.exe
2008-08-24 15:12:02 ----A---- C:\WINDOWS\system32\javaw.exe
2008-08-24 15:12:02 ----A---- C:\WINDOWS\system32\java.exe
2008-08-24 15:11:06 ----D---- C:\Program Files\Java
2008-08-24 15:09:57 ----D---- C:\Program Files\Common Files\Java
2008-08-24 15:09:34 ----SH---- C:\WINDOWS\system32\psxsbdpo.ini
2008-08-24 15:03:59 ----A---- C:\WINDOWS\system32\slytochi.dll
2008-08-23 15:15:33 ----SH---- C:\WINDOWS\system32\lpvebnig.ini
2008-08-23 15:03:32 ----A---- C:\WINDOWS\system32\qvfaidqc.dll

======List of files/folders modified in the last 1 months======

2008-09-22 12:21:04 ----D---- C:\WINDOWS\Temp
2008-09-22 08:25:26 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-22 08:20:51 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-22 08:12:29 ----D---- C:\WINDOWS
2008-09-22 08:12:11 ----D---- C:\WINDOWS\system32\drivers
2008-09-19 17:16:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-09-19 08:04:56 ----D---- C:\WINDOWS\system32
2008-09-19 08:04:43 ----HD---- C:\WINDOWS\inf
2008-09-19 08:02:43 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-09-18 08:16:15 ----D---- C:\WINDOWS\Help
2008-09-15 11:24:47 ----AC---- C:\WINDOWS\rrw.ini
2008-09-10 16:56:52 ----SHD---- C:\WINDOWS\Installer
2008-09-10 16:53:56 ----D---- C:\WINDOWS\Microsoft.NET
2008-09-10 16:52:17 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 16:51:20 ----RSD---- C:\WINDOWS\assembly
2008-09-10 16:43:05 ----D---- C:\WINDOWS\WinSxS
2008-09-10 16:42:53 ----A---- C:\WINDOWS\imsins.BAK
2008-09-08 13:03:41 ----D---- C:\Program Files
2008-09-04 13:59:35 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-09-04 13:59:30 ----D---- C:\WINDOWS\system32\1033
2008-09-04 13:57:28 ----D---- C:\Program Files\Common Files\Merge Modules
2008-09-04 13:56:17 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-09-04 13:31:41 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-04 12:30:58 ----AC---- C:\WINDOWS\OEWABLog.txt
2008-09-04 12:30:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-09-04 12:26:29 ----D---- C:\WINDOWS\system32\Setup
2008-09-04 12:26:29 ----D---- C:\WINDOWS\ime
2008-09-04 12:26:29 ----D---- C:\WINDOWS\AppPatch
2008-09-04 12:26:28 ----RSD---- C:\WINDOWS\Fonts
2008-09-04 12:26:28 ----D---- C:\WINDOWS\system32\wbem
2008-09-04 12:25:28 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-04 12:23:01 ----D---- C:\Program Files\Messenger
2008-09-04 12:22:46 ----D---- C:\WINDOWS\security
2008-09-04 12:19:39 ----D---- C:\WINDOWS\network diagnostic
2008-09-04 12:19:21 ----D---- C:\WINDOWS\system32\en-US
2008-09-04 12:19:20 ----D---- C:\WINDOWS\system32\usmt
2008-09-04 12:19:17 ----D---- C:\WINDOWS\PeerNet
2008-09-04 12:19:17 ----D---- C:\Program Files\Movie Maker
2008-09-04 12:16:14 ----D---- C:\WINDOWS\system32\Restore
2008-09-04 12:16:14 ----D---- C:\WINDOWS\system32\npp
2008-09-04 12:16:13 ----D---- C:\WINDOWS\msagent
2008-09-04 12:16:12 ----D---- C:\WINDOWS\srchasst
2008-09-04 12:16:11 ----D---- C:\Program Files\NetMeeting
2008-09-04 12:16:10 ----D---- C:\WINDOWS\system32\Com
2008-09-04 12:16:08 ----D---- C:\Program Files\Windows Media Player
2008-09-04 12:16:07 ----D---- C:\Program Files\Windows NT
2008-09-04 12:16:07 ----D---- C:\Program Files\Outlook Express
2008-09-04 12:16:04 ----D---- C:\Program Files\Common Files\System
2008-09-04 12:15:51 ----D---- C:\WINDOWS\system32\oobe
2008-09-04 12:15:50 ----D---- C:\WINDOWS\system
2008-09-04 12:14:14 ----RD---- C:\WINDOWS\Web
2008-09-04 12:13:35 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-09-04 11:41:20 ----D---- C:\WINDOWS\Debug
2008-09-04 11:27:43 ----RASH---- C:\boot.ini
2008-09-04 11:27:43 ----A---- C:\WINDOWS\win.ini
2008-09-04 11:27:43 ----A---- C:\WINDOWS\system.ini
2008-09-04 06:00:24 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-09-03 13:10:57 ----D---- C:\Program Files\Internet Explorer
2008-09-02 11:21:59 ----ASH---- C:\WINDOWS\system32\IhiSstwa.ini
2008-09-02 11:19:40 ----ASH---- C:\WINDOWS\system32\IhiSstwa.ini2
2008-09-02 11:15:43 ----A---- C:\WINDOWS\system32\5b3bb3c0-.txt
2008-08-29 11:45:52 ----SHD---- C:\System Volume Information
2008-08-28 20:20:42 ----D---- C:\Documents and Settings\Shah\Application Data\InterTrust
2008-08-28 11:37:39 ----D---- C:\Program Files\Common Files
2008-08-27 19:11:56 ----HD---- C:\Program Files\InstallShield Installation Information
2008-08-27 19:00:56 ----D---- C:\Program Files\PDF Editor 2
2008-08-27 13:37:38 ----D---- C:\Program Files\MsgPopupEN
2008-08-26 13:28:12 ----A---- C:\WINDOWS\system32\MRT.exe
2008-08-24 15:12:18 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-08-23 15:11:42 ----SH---- C:\WINDOWS\system32\piwawhqt.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2007-12-01 279088]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2007-12-01 43696]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2008-03-07 191536]
R2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2005-03-13 41984]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-09-21 2278784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
R3 IKFileSec;File Security Driver; C:\WINDOWS\system32\drivers\ikfilesec.sys [2008-02-01 42376]
R3 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2007-12-10 66952]
R3 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2007-12-10 81288]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080921.003\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080921.003\NAVEX15.SYS []
R3 Ptserial;W2K Conexant Serial Device Driver; C:\WINDOWS\system32\DRIVERS\ptserial.sys [2003-12-17 356351]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2008-03-07 12848]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2008-03-07 145968]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2008-03-07 39984]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20080917.006\SymIDSCo.sys []
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2008-03-07 35120]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2008-03-07 27696]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Vmodem;W2K Vmodem; C:\WINDOWS\system32\DRIVERS\vmodem.sys [2003-12-17 703737]
R3 Vpctcom;W2K Vpctcom; C:\WINDOWS\system32\DRIVERS\vpctcom.sys [2003-12-17 801906]
R3 Vvoice;W2K Vvoice; C:\WINDOWS\system32\DRIVERS\vvoice.sys [2003-12-17 70384]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5b.sys [2002-10-28 40960]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2007-12-01 317616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 viagfx;viagfx; C:\WINDOWS\system32\DRIVERS\vtmini.sys [2003-12-18 133632]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-08-28 611664]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-09-02 198336]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2007-01-09 108648]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2007-01-09 108648]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2007-01-09 108648]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-28 137200]
R2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2007-01-09 108648]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
R2 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-02-27 20480]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 SymAppCore;Symantec AppCore Service; C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe [2006-09-01 46736]
R3 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-02-20 1251720]
S2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 ISPwdSvc;Symantec IS Password Validation; C:\Program Files\Norton AntiVirus\isPwdSvc.exe [2006-09-05 79496]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 MSSQL$MICROSOFTSMLBIZ;MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [2008-05-25 9154560]
S3 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2007-05-24 61440]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-02-01 948616]
S3 SQLAgent$MICROSOFTSMLBIZ;SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [2005-05-03 323584]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.02 2008-09-22 14:49:57

======Uninstall list======

IC Card Reader Driver v1.8e4-->C:\WINDOWS\iun6002.exe "C:\Program Files\\IC Card Reader Driver v1.8e4\irunin.ini"
-->"C:\Program Files\InstallShield Installation Information\{11B95B0C-D13F-4E5D-B375-D98C9B6CE7B9}\setup.exe" -uninst -s
-->"C:\Program Files\InstallShield Installation Information\{52C1E6E3-85EB-448E-9004-F5EB14DEF22B}\setup.exe" -uninst -s
-->"C:\Program Files\InstallShield Installation Information\{6C6965D1-799C-4136-AE06-ACF80A311D35}\setup.exe" -uninst -s -uninst
-->"C:\Program Files\InstallShield Installation Information\{871D9278-C4DE-4B83-9B31-FDE1BE4B7096}\setup.exe" -uninst -s -uninst
-->"C:\Program Files\InstallShield Installation Information\{8A549839-FC1C-4A24-A209-EC27AACE75E5}\setup.exe" -uninst -s -uninst
-->"C:\Program Files\InstallShield Installation Information\{9614DAD1-A91F-4225-9907-59D68336BC04}\setup.exe" -uninst -s -uninst
-->"C:\Program Files\InstallShield Installation Information\{C02D7C81-8AEA-4155-B665-5271BA7877BA}\setup.exe" -uninst -s
-->MsiExec.exe /I{8ED4E82B-8CEA-40DE-826C-37AC7B941F81}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F6DFDC8-7EAA-4B9B-AC3A-AE04F77D81CF}\Setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13FC0634-B6EE-4518-9589-AB50B5C079AD}\Setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B785F89C-FD1A-466F-9AF3-32A060A1099A}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3DD1358-7E23-44CB-BC72-791C390269F0}\Setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Able2Extract v5.0-->C:\Program Files\Investintech.com Inc\Able2Extract 5.0\Uninstal.exe
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AppCore-->MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
AV-->MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
ccCommon-->MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)-->C:\WINDOWS\SQL9_KB948109_ENU\Hotfix.exe /Uninstall
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)-->C:\WINDOWS\SQLTools9_KB948109_ENU\Hotfix.exe /Uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix 2050 for SQL Server 2000 ENU (KB948110)-->"C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$\spuninst\spuninst.exe"
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HSP56 Modem Drivers-->ptuninst.exe
Internet Worm Protection-->MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Merge Tables Wizard for Excel 1.4-->"C:\Program Files\Add-in Express\AddIns\Merge Tables Wizard for Excel\unins000.exe"
MessagePopup-->"C:\Program Files\MsgPopupEN\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005-->C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005-->MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office FrontPage 2003-->MsiExec.exe /I{91170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Management Edition 2006 CD 2-->MsiExec.exe /I{BA68600E-96D9-4E92-80F2-26B9681B5A63}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools-->MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Microsoft Visual Studio 2005 Professional Edition - ENU-->C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft WSE 2.0 SP3-->MsiExec.exe /I{6F396FFB-CC3A-4335-BC0B-2AEF38F4492C}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero Media Player-->C:\WINDOWS\UNNMP.exe /UNINSTALL
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 2-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Norton AntiVirus (Symantec Corporation)-->"C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_0_89\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help-->MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI-->MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI-->MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton AntiVirus-->MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Protection Center-->MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PrimoPDF Redistribution Package-->MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
PrimoPDF-->"C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
QuickBooks Pro 2008-->msiexec.exe /I {8ED4E82B-8CEA-40DE-826C-37AC7B941F81} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2008" ADDREMOVE=1
R&R Report Writer, Xbase Edition Version 9.0-->C:\WINDOWS\system32\rrpostin.exe type:NORM C:\WINDOWS\uninst.exe -f"C:\Program Files\R&R Report Writer\DeIsL1.isu"
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Samsung ML-2010 Series-->C:\WINDOWS\Samsung\ML-2010\SETUP.EXE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {94E2AAC1-CAE5-4F73-B0D1-C471BA1F8E2A} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB947738)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {66DA9ADD-B1C4-4891-84D6-706E216B411B} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Shipping Assistant 3.2-->MsiExec.exe /X{15C77FC3-8137-4A5E-8F81-F559045DD6B0}
SPBBC 32bit-->MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spyware Doctor 5.5-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
Symantec-->MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
UPS WorldShip® (US Origin)-->C:\UPS\UOWS\Uninstall.exe
VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: Norton AntiVirus (disabled)
FW: Norton AntiVirus

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 12 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0c00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VS80COMNTOOLS"=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\

-----------------EOF-----------------

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 22 September 2008 - 05:06 PM

You forgot to post the Kaspersky Online Scanner report.

What program is finding Virtuemonde?

Is this a work or business computer?

Edited by SifuMike, 22 September 2008 - 05:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 22 September 2008 - 06:48 PM

I am sorry, forgot to attach the jpeg image of Kaspersky Online Scanner.
here it is.

Attached Files



#8 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 22 September 2008 - 08:54 PM

Finally I got the Kaspersky's report saved and is as below.
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 23:37:23
Records in database: 1249719


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
G:\
H:\
K:\

Scan statistics
Files scanned 98209
Threat name 5
Infected objects 11
Suspicious objects 0
Duration of the scan 01:54:23

File name Threat name Threats count
C:\Documents and Settings\Shah\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-7addba6d Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\WINDOWS\system32\ikajkcvl.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\inuatnws.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.czw 1

C:\WINDOWS\system32\kejuwgwd.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\kspusuoh.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\lwojlbey.dll Infected: Trojan.Win32.Monder.gnv 1

C:\WINDOWS\system32\nncxhgby.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\ocqehnrp.dll Infected: Trojan.Win32.Monder.mwz 1

C:\WINDOWS\system32\qvfaidqc.dll Infected: Trojan.Win32.Monder.gen 1

C:\WINDOWS\system32\rixdsg.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.czw 1

C:\WINDOWS\system32\slytochi.dll Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 22 September 2008 - 10:57 PM

Hello nmcbank,

Download Deckard's Association File Tool  daft.exe and save it to your desktop.
Double click on it and click Run.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
Click the Fix button.



We will run ComboFix©.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read  Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Norton Antivirus and Spyware Doctor before running ComboFix, as they will prevent it from running.

To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.




Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT 
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 23 September 2008 - 01:31 PM

Hello,
Here is the combofix log.
Please advice what is next to be done.
Thank you,
ComboFix 08-09-22.04 - Shah 2008-09-23 11:18:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.404 [GMT -7:00]
Running from: C:\Documents and Settings\Shah\Desktop\Shah\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bkxcqbkb.ini
C:\WINDOWS\system32\blxsxvai.ini
C:\WINDOWS\system32\buyihxji.ini
C:\WINDOWS\system32\bwtldiud.ini
C:\WINDOWS\system32\cxogqqcl.ini
C:\WINDOWS\system32\dxbfllhi.ini
C:\WINDOWS\system32\hkemorps.ini
C:\WINDOWS\system32\IhiSstwa.ini
C:\WINDOWS\system32\ikajkcvl.dll
C:\WINDOWS\system32\iwbuqfex.ini
C:\WINDOWS\system32\kejuwgwd.dll
C:\WINDOWS\system32\kspusuoh.dll
C:\WINDOWS\system32\lpvebnig.ini
C:\WINDOWS\system32\piwawhqt.ini
C:\WINDOWS\system32\psxsbdpo.ini
C:\WINDOWS\system32\qvfaidqc.dll
C:\WINDOWS\system32\slytochi.dll
C:\WINDOWS\system32\supfnkux.ini
C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 14:49 . 2008-09-22 14:49 <DIR> d-------- C:\rsit
2008-09-08 13:03 . 2008-09-08 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 13:55 . 2008-09-04 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-09-04 13:25 . 2008-09-04 13:26 <DIR> d-------- C:\autoruns
2008-09-04 12:29 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-04 12:16 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-04 12:10 . 2008-09-04 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-09-04 12:01 . 2008-04-13 17:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-09-04 12:00 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-03 14:06 . 2008-09-03 14:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 14:06 . 2008-09-03 14:06 <DIR> d-------- C:\Documents and Settings\Shah\Application Data\Malwarebytes
2008-09-03 14:06 . 2008-09-03 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 14:06 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 14:06 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 19:09 . 2008-08-24 15:15 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-28 18:23 . 2008-09-22 08:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-28 18:23 . 2008-08-28 18:23 <DIR> d-------- C:\Documents and Settings\Shah\Application Data\PC Tools
2008-08-28 18:23 . 2008-09-23 11:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 18:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-28 18:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-28 18:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-28 18:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-28 17:26 . 2008-08-28 20:27 <DIR> d-------- C:\VundoFix Backups
2008-08-28 11:38 . 2008-08-28 11:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 11:38 . 2008-08-28 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 11:37 . 2008-08-28 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 15:15 . 2008-09-03 12:21 <DIR> d-------- C:\Documents and Settings\Shah\.housecall6.6
2008-08-24 15:12 . 2008-08-24 15:12 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 15:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-24 15:11 . 2008-08-24 15:11 <DIR> d-------- C:\Program Files\Java
2008-08-24 15:09 . 2008-08-24 15:09 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 17:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-23 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-10 23:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-04 20:57 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-09-04 20:56 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-09-02 18:19 799,430 --sha-w C:\WINDOWS\system32\IhiSstwa.ini2
2008-08-29 03:20 --------- d-----w C:\Documents and Settings\Shah\Application Data\InterTrust
2008-08-28 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 02:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-27 20:37 --------- d-----w C:\Program Files\MsgPopupEN
2008-08-22 22:04 96,256 ----a-w C:\WINDOWS\system32\lwojlbey.dll
2008-08-21 22:07 114,176 ----a-w C:\WINDOWS\system32\rixdsg.dll
2008-08-21 22:07 114,176 ----a-w C:\WINDOWS\system32\inuatnws.dll
2008-08-21 22:04 95,232 ----a-w C:\WINDOWS\system32\nncxhgby.dll
2008-08-20 22:02 95,744 ----a-w C:\WINDOWS\system32\ocqehnrp.dll
2008-08-18 15:59 --------- d-----w C:\Documents and Settings\Shah\Application Data\Cogniview
2008-08-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cogniview
2008-08-04 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-31 00:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-31 00:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-31 00:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 15:14 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-06 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MsgPopup.lnk - C:\Program Files\MsgPopupEN\MsgPopup.exe [2003-10-31 993280]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MsgPopupEN\\MsgPopup.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=

S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c75e84f-ea3f-11d9-8bb9-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 11:22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-23 11:23:58
ComboFix-quarantined-files.txt 2008-09-23 18:23:54

Pre-Run: 25,156,644,864 bytes free
Post-Run: 25,553,076,224 bytes free

168 --- E O F --- 2008-09-10 23:58:38

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 23 September 2008 - 01:42 PM

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!



I asked you to install Recovery Console! It is NOT optional!




Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image


If you have SP3 installed, SP2 or even SP1 package will work.


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

Edited by SifuMike, 23 September 2008 - 01:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 23 September 2008 - 02:32 PM

Sorry for not installing the recovery console at first time.
Here is the new log from combofix.
Thanks in advance for your patience and help.

ComboFix 08-09-22.04 - Shah 2008-09-23 12:24:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.332 [GMT -7:00]
Running from: C:\Documents and Settings\Shah\Desktop\Shah\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shah\Desktop\Shah\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 14:49 . 2008-09-22 14:49 <DIR> d-------- C:\rsit
2008-09-08 13:03 . 2008-09-08 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 13:55 . 2008-09-04 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-09-04 13:25 . 2008-09-04 13:26 <DIR> d-------- C:\autoruns
2008-09-04 12:29 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-04 12:16 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-04 12:10 . 2008-09-04 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-09-04 12:01 . 2008-04-13 17:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-09-04 12:00 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-03 14:06 . 2008-09-03 14:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 14:06 . 2008-09-03 14:06 <DIR> d-------- C:\Documents and Settings\Shah\Application Data\Malwarebytes
2008-09-03 14:06 . 2008-09-03 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 14:06 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 14:06 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 19:09 . 2008-08-24 15:15 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-28 18:23 . 2008-09-22 08:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-28 18:23 . 2008-08-28 18:23 <DIR> d-------- C:\Documents and Settings\Shah\Application Data\PC Tools
2008-08-28 18:23 . 2008-09-23 11:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 18:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-28 18:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-28 18:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-28 18:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-28 17:26 . 2008-08-28 20:27 <DIR> d-------- C:\VundoFix Backups
2008-08-28 11:38 . 2008-08-28 11:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 11:38 . 2008-08-28 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 11:37 . 2008-08-28 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 15:15 . 2008-09-03 12:21 <DIR> d-------- C:\Documents and Settings\Shah\.housecall6.6
2008-08-24 15:12 . 2008-08-24 15:12 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 15:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-24 15:11 . 2008-08-24 15:11 <DIR> d-------- C:\Program Files\Java
2008-08-24 15:09 . 2008-08-24 15:09 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 17:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-23 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-10 23:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-04 20:57 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-09-04 20:56 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-09-02 18:19 799,430 --sha-w C:\WINDOWS\system32\IhiSstwa.ini2
2008-08-29 03:20 --------- d-----w C:\Documents and Settings\Shah\Application Data\InterTrust
2008-08-28 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 02:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-27 20:37 --------- d-----w C:\Program Files\MsgPopupEN
2008-08-22 22:04 96,256 ----a-w C:\WINDOWS\system32\lwojlbey.dll
2008-08-21 22:07 114,176 ----a-w C:\WINDOWS\system32\rixdsg.dll
2008-08-21 22:07 114,176 ----a-w C:\WINDOWS\system32\inuatnws.dll
2008-08-21 22:04 95,232 ----a-w C:\WINDOWS\system32\nncxhgby.dll
2008-08-20 22:02 95,744 ----a-w C:\WINDOWS\system32\ocqehnrp.dll
2008-08-18 15:59 --------- d-----w C:\Documents and Settings\Shah\Application Data\Cogniview
2008-08-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cogniview
2008-08-04 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-31 00:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-31 00:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-31 00:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 15:14 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-06 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MsgPopup.lnk - C:\Program Files\MsgPopupEN\MsgPopup.exe [2003-10-31 993280]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MsgPopupEN\\MsgPopup.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=

S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c75e84f-ea3f-11d9-8bb9-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 12:25:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-23 12:27:33
ComboFix-quarantined-files.txt 2008-09-23 19:27:19
ComboFix2.txt 2008-09-23 18:23:59

Pre-Run: 25,539,559,424 bytes free
Post-Run: 25,511,256,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

154 --- E O F --- 2008-09-10 23:58:38

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 23 September 2008 - 05:11 PM

Hello nmcbank,


Close/disable Norton anti virus and Spyware Doctor so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\IhiSstwa.ini2
C:\WINDOWS\system32\lwojlbey.dll
C:\WINDOWS\system32\rixdsg.dll
C:\WINDOWS\system32\inuatnws.dll
C:\WINDOWS\system32\nncxhgby.dll
C:\WINDOWS\system32\ocqehnrp.dll
C:\Documents and Settings\Shah\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-7addba6d 
C:\WINDOWS\system32\ikajkcvl.dll 
C:\WINDOWS\system32\inuatnws.dll 
C:\WINDOWS\system32\kejuwgwd.dll 
C:\WINDOWS\system32\kspusuoh.dll 
C:\WINDOWS\system32\qvfaidqc.dll 
C:\WINDOWS\system32\rixdsg.dll  
C:\WINDOWS\system32\slytochi.dll 
C:\WINDOWS\system32\IhiSstwa.ini2

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 nmcbank

nmcbank
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 23 September 2008 - 06:13 PM

Here is the new combofix log.
ComboFix 08-09-22.06 - Shah 2008-09-23 15:59:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.337 [GMT -7:00]
Running from: C:\Documents and Settings\Shah\Desktop\Shah\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shah\Desktop\Shah\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Shah\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-7addba6d
C:\WINDOWS\system32\IhiSstwa.ini2
C:\WINDOWS\system32\ikajkcvl.dll
C:\WINDOWS\system32\inuatnws.dll
C:\WINDOWS\system32\kejuwgwd.dll
C:\WINDOWS\system32\kspusuoh.dll
C:\WINDOWS\system32\lwojlbey.dll
C:\WINDOWS\system32\nncxhgby.dll
C:\WINDOWS\system32\ocqehnrp.dll
C:\WINDOWS\system32\qvfaidqc.dll
C:\WINDOWS\system32\rixdsg.dll
C:\WINDOWS\system32\slytochi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Shah\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-7addba6d
C:\VundoFix Backups
C:\WINDOWS\system32\IhiSstwa.ini2
C:\WINDOWS\system32\inuatnws.dll
C:\WINDOWS\system32\lwojlbey.dll
C:\WINDOWS\system32\nncxhgby.dll
C:\WINDOWS\system32\ocqehnrp.dll
C:\WINDOWS\system32\rixdsg.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-23 to 2008-09-23 )))))))))))))))))))))))))))))))
.

2008-09-22 14:49 . 2008-09-22 14:49 <DIR> d-------- C:\rsit
2008-09-08 13:03 . 2008-09-08 13:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-04 13:55 . 2008-09-04 13:55 <DIR> d-------- C:\Program Files\MSBuild
2008-09-04 13:25 . 2008-09-04 13:26 <DIR> d-------- C:\autoruns
2008-09-04 12:29 . 2004-08-04 04:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-04 12:19 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-04 12:16 . 2008-09-04 12:19 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-04 12:10 . 2008-09-04 12:10 <DIR> d-------- C:\WINDOWS\EHome
2008-09-04 12:01 . 2008-04-13 17:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-09-04 12:00 . 2008-04-13 17:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-03 14:06 . 2008-09-03 14:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 14:06 . 2008-09-03 14:06 <DIR> d-------- C:\Documents and Settings\Shah\Application Data\Malwarebytes
2008-09-03 14:06 . 2008-09-03 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 14:06 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-03 14:06 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-28 19:09 . 2008-08-24 15:15 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-28 18:23 . 2008-09-22 08:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-28 18:23 . 2008-08-28 18:23 <DIR> d-------- C:\Documents and Settings\Shah\Application Data\PC Tools
2008-08-28 18:23 . 2008-09-23 11:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 18:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-28 18:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-28 18:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-28 18:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-28 11:38 . 2008-08-28 11:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-28 11:38 . 2008-08-28 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 11:37 . 2008-08-28 11:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-24 15:15 . 2008-09-03 12:21 <DIR> d-------- C:\Documents and Settings\Shah\.housecall6.6
2008-08-24 15:12 . 2008-08-24 15:12 <DIR> d-------- C:\WINDOWS\Sun
2008-08-24 15:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-24 15:11 . 2008-08-24 15:11 <DIR> d-------- C:\Program Files\Java
2008-08-24 15:09 . 2008-08-24 15:09 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-23 17:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-23 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-10 23:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-04 20:57 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-09-04 20:56 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-08-29 03:20 --------- d-----w C:\Documents and Settings\Shah\Application Data\InterTrust
2008-08-28 02:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-28 02:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-27 20:37 --------- d-----w C:\Program Files\MsgPopupEN
2008-08-18 15:59 --------- d-----w C:\Documents and Settings\Shah\Application Data\Cogniview
2008-08-18 15:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cogniview
2008-08-04 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-31 00:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-31 00:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-31 00:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 15:14 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 01:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-06 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MsgPopup.lnk - C:\Program Files\MsgPopupEN\MsgPopup.exe [2003-10-31 993280]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MsgPopupEN\\MsgPopup.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=

S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c75e84f-ea3f-11d9-8bb9-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 16:01:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-23 16:02:56
ComboFix-quarantined-files.txt 2008-09-23 23:02:37
ComboFix2.txt 2008-09-23 19:27:34
ComboFix3.txt 2008-09-23 18:23:59

Pre-Run: 25,503,399,936 bytes free
Post-Run: 25,492,824,064 bytes free

157 --- E O F --- 2008-09-10 23:58:38

Here is the new HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:46 PM, on 9/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MsgPopup.lnk = C:\Program Files\MsgPopupEN\MsgPopup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: (no name) - http://media1.santabanta.com/full1/Spiritu...numan/lor9v.jpg
O24 - Desktop Component 2: My Price Electronics - http://www.mypriceelectronics.com/

--
End of file - 7120 bytes

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:48 PM

Posted 23 September 2008 - 06:28 PM

Hello nmcbank,

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Close/disable Spyware Doctor so they do not interfere.

To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.



Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users