Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus remover 2008


  • This topic is locked This topic is locked
23 replies to this topic

#1 Bulldog

Bulldog

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 03 December 2008 - 04:11 PM

I see it on the highjack this log and everyone list with the line item 15 I dont believe should be in the trusted zone. I have AVG 8, and the normal Spybot, adware, ccleaner, and cleaner 4.0, installed. I have ran AVG and it has moved several Trojans to my virus vault, however I still have some that pop up that it catches and then says unable to locate file. The virus remover 2008 keeps starting my browser and is jacking with my computer in other ways. I am running a Kaspersky scan as well but it is not completed yet.

Kaspersky Scan:

Wednesday, December 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 03, 2008 18:14:14
Records in database: 1435138
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
H:\
R:\
T:\
Scan statistics
Files scanned 99028
Threat name 18
Infected objects 60
Suspicious objects 5
Duration of the scan 02:14:13

File name Threat name Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Documents and Settings\tim\Local Settings\Application Data\Identities\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\Bambi's inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 4
C:\Documents and Settings\tim\Local Settings\Application Data\Identities\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\ebay emails.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 10
C:\Documents and Settings\tim\Local Settings\Application Data\Identities\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\ebay emails.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 3
C:\Documents and Settings\tim\Local Settings\Application Data\Identities\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\keep.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Documents and Settings\tim\Local Settings\Application Data\Identities\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\keep.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 1
C:\Documents and Settings\tim\Local Settings\Application Data\Identities\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\Sent Items.dbx Infected: Trojan-Downloader.Win32.Agent.aji 1
C:\Documents and Settings\tim\Local Settings\Temp\enoacxwsmr.tmp Infected: Trojan.Win32.VB.hfs 1
C:\Documents and Settings\tim\Local Settings\Temp\mensxcwoar.tmp Infected: Trojan.Win32.VB.hfs 1
C:\Documents and Settings\tim\Local Settings\Temp\prun.tmp Infected: Trojan.Win32.VB.hfp 1
C:\Documents and Settings\tim\Local Settings\Temp\snapsnet.tmp Infected: Trojan-Downloader.Win32.VB.jbm 1
C:\Documents and Settings\tim\Local Settings\Temp\winvsnet.tmp Infected: Trojan-Downloader.Win32.Agent.aoep 1
C:\Documents and Settings\tim\Local Settings\Temporary Internet Files\Content.IE5\MDEXKLW5\eyhviww[1].txt Infected: Trojan.Win32.Small.yql 1
C:\Export_Email\Sent\Notification of Limited Account Access !_162_20080731_111251_352.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Export_Email\Sent\Notification of Limited Account Access_121_20080731_111234_504.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Export_Email\Sent\Notification of Limited Account Access_148_20080731_111237_325.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Export_Email\Sent\Protect Your PayPal Account_20_20080731_111112_163.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Export_Email\Sent\Protect Your PayPal Account_34_20080731_111115_763.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\stg\accounts\Jon\backup.pst Infected: Trojan-Spy.HTML.Citifraud.ai 1
C:\Program Files\stg\accounts\Jon\backup.pst Infected: Trojan-Spy.HTML.Citifraud.ak 1
C:\Program Files\stg\accounts\Jon\backup.pst Infected: Trojan-Spy.HTML.Bankfraud.q 1
C:\Program Files\stg\accounts\Jon\backup.pst Infected: Trojan-Spy.HTML.Bankfraud.u 1
C:\Program Files\stg\accounts\Jon\backup.pst Infected: Trojan-Spy.HTML.Bankfraud.w 1
C:\Program Files\stg\accounts\Judy\FLV\FLV to Video Pro\FLVDownloader_Install.exe Infected: not-a-virus:AdWare.Win32.AdMoke.agg 1
C:\Program Files\stg\accounts\Judy\FLV\FLV to Video Pro\FLVDownloader_Install.exe Infected: Backdoor.Win32.Sheldor.aw 1
C:\Program Files\stg\accounts\Judy\My Documents\Programs\FLV2Video_Setup_r44744.exe Infected: not-a-virus:AdWare.Win32.AdMoke.agg 1
C:\Program Files\stg\accounts\Judy\My Documents\Programs\FLV2Video_Setup_r44744.exe Infected: Backdoor.Win32.Sheldor.aw 1
C:\Program Files\stg\accounts\Judy\My Documents\Programs\Moyea FLV Downloader1.7.0.0-Setup.exe Infected: not-a-virus:AdWare.Win32.AdMoke.agg 1
C:\Program Files\stg\accounts\Judy\My Documents\Programs\Moyea FLV Downloader1.7.0.0-Setup.exe Infected: Backdoor.Win32.Sheldor.bj 1
C:\Utils\Autobackup - tim - 7-15-2008\Archive\OutlookExpress\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\Bambi's inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 4
C:\Utils\Autobackup - tim - 7-15-2008\Archive\OutlookExpress\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\ebay emails.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 10
C:\Utils\Autobackup - tim - 7-15-2008\Archive\OutlookExpress\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\ebay emails.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 3
C:\Utils\Autobackup - tim - 7-15-2008\Archive\OutlookExpress\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\keep.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib 1
C:\Utils\Autobackup - tim - 7-15-2008\Archive\OutlookExpress\{AAE0A683-5D94-4A2F-83A6-48DB7EB5B26E}\Microsoft\Outlook Express\keep.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 1
The selected area was scanned.

Here is my log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Tim at 2008-12-03 14:57:38
Microsoft Windows XP Professional Service Pack 3
System drive C: has 71 GB (30%) free of 238 GB
Total RAM: 2005 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:58 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\Belkin\Switch2\Switch2.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\DOCUME~1\tim\LOCALS~1\Temp\stf64D.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tim\Desktop\RSIT.exe
C:\Program Files\trend micro\Tim.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kciconstruction.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {B4EAB9C6-2ADA-4B21-8944-3D1622CB76D4} - C:\WINDOWS\system32\urqpPjJY.dll
O2 - BHO: {7550be2b-5c22-d778-c6e4-0797265e72bb} - {bb27e562-7970-4e6c-877d-22c5b2eb0557} - C:\WINDOWS\system32\pluvdn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Lnevutudiwo] rundll32.exe "C:\WINDOWS\Lceweruqapiweson.dll",e
O4 - HKLM\..\Run: [bc37804f] rundll32.exe "C:\WINDOWS\system32\bphwqbgo.dll",b
O4 - HKLM\..\Run: [Kdobedukicuhu] rundll32.exe "C:\WINDOWS\okoqazejowedi.dll",e
O4 - HKLM\..\Run: [NI.GSCNS] "C:\DOCUME~1\tim\LOCALS~1\Temp\winvsnet.tmp"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\tim\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Startup: Switch2.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\Software\..\Telephony: DomainName = KCI.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll pluvdn.dll
O20 - Winlogon Notify: ssqOHwtr - C:\WINDOWS\SYSTEM32\ssqOHwtr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WinVNC4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/tim/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 10932 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\zdlvyhox.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4EAB9C6-2ADA-4B21-8944-3D1622CB76D4}]
C:\WINDOWS\system32\urqpPjJY.dll [2008-12-03 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb27e562-7970-4e6c-877d-22c5b2eb0557}]
C:\WINDOWS\system32\pluvdn.dll [2008-12-03 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-06-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-06-28 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-06-28 137752]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-09-24 1036288]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
""= []
"Acrobat Speed Launch"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe [2006-10-23 46200]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-13 143360]
"Acrobat Synchronizer"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2007-05-10 738968]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
"Lnevutudiwo"=C:\WINDOWS\Lceweruqapiweson.dll [2008-12-03 40448]
"bc37804f"=C:\WINDOWS\system32\bphwqbgo.dll [2008-12-03 72704]
"Kdobedukicuhu"=C:\WINDOWS\okoqazejowedi.dll [2008-12-03 141824]
"NI.GSCNS"=C:\DOCUME~1\tim\LOCALS~1\Temp\winvsnet.tmp [2008-12-03 54784]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"gadcom"=C:\Documents and Settings\tim\Application Data\gadcom\gadcom.exe [2008-12-03 56832]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"CleanUp!"=C:\Program Files\CleanUp!\Cleanup.exe [2006-06-25 442368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\tim\Start Menu\Programs\Startup
Sprint media monitor.lnk - C:\WINDOWS\RM.exe
Switch2.lnk - C:\Documents and Settings\tim\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll pluvdn.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-28 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqOHwtr]
C:\WINDOWS\system32\ssqOHwtr.dll [2008-12-03 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\ssqOHwtr.dll [2008-12-03 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\urqpPjJY

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\PVSW\Bin\w3dbsmgr.exe"="C:\PVSW\Bin\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

======List of files/folders created in the last 1 months======

2008-12-03 14:58:18 ----D---- C:\Program Files\trend micro
2008-12-03 14:57:38 ----D---- C:\rsit
2008-12-03 14:25:32 ----A---- C:\WINDOWS\system32\awtusqNg.dll
2008-12-03 14:19:09 ----A---- C:\WINDOWS\system32\geBtUlMg.dll
2008-12-03 14:11:15 ----A---- C:\WINDOWS\system32\fccccCvt.dll
2008-12-03 14:09:14 ----A---- C:\WINDOWS\okoqazejowedi.dll
2008-12-03 14:04:57 ----D---- C:\Temp
2008-12-03 14:04:56 ----D---- C:\Documents and Settings\tim\Application Data\NI.GSCNS
2008-12-03 14:04:56 ----A---- C:\WINDOWS\system32\xxyvwXPF.dll
2008-12-03 14:02:58 ----SH---- C:\WINDOWS\system32\ogbqwhpb.ini
2008-12-03 14:02:55 ----A---- C:\WINDOWS\system32\pluvdn.dll
2008-12-03 14:02:55 ----A---- C:\WINDOWS\system32\bphwqbgo.dll
2008-12-03 14:02:54 ----A---- C:\WINDOWS\system32\liimwvti.dll
2008-12-03 14:02:26 ----A---- C:\WINDOWS\system32\b7144431-.txt
2008-12-03 14:01:56 ----ASH---- C:\WINDOWS\system32\YJjPpqru.ini2
2008-12-03 14:01:56 ----ASH---- C:\WINDOWS\system32\YJjPpqru.ini
2008-12-03 14:01:54 ----A---- C:\WINDOWS\system32\urqpPjJY.dll
2008-12-03 13:57:07 ----A---- C:\WINDOWS\Lceweruqapiweson.dll
2008-12-03 13:57:07 ----A---- C:\bflkwx.exe
2008-12-03 13:57:05 ----A---- C:\fjytg.exe
2008-12-03 13:56:56 ----D---- C:\Documents and Settings\tim\Application Data\gadcom
2008-12-03 13:56:53 ----A---- C:\WINDOWS\system32\iifeEVPG.dll
2008-12-03 13:56:51 ----A---- C:\WINDOWS\system32\ssqOHwtr.dll
2008-11-11 09:49:36 ----A---- C:\WINDOWS\sv.ini

======List of files/folders modified in the last 1 months======

2008-12-03 14:58:58 ----D---- C:\WINDOWS\Temp
2008-12-03 14:58:41 ----D---- C:\WINDOWS\security
2008-12-03 14:58:18 ----RD---- C:\Program Files
2008-12-03 14:44:56 ----D---- C:\Program Files\Mozilla Firefox
2008-12-03 14:40:48 ----HD---- C:\$AVG8.VAULT$
2008-12-03 14:40:48 ----D---- C:\WINDOWS\system32
2008-12-03 14:26:29 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-03 14:26:23 ----A---- C:\WINDOWS\system32\svchost.exe
2008-12-03 14:25:46 ----D---- C:\WINDOWS
2008-12-03 14:05:23 ----D---- C:\WINDOWS\Prefetch
2008-12-03 13:56:54 ----SD---- C:\WINDOWS\Tasks
2008-12-02 09:25:31 ----D---- C:\WINDOWS\system32\FxsTmp
2008-11-26 10:23:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-26 10:18:39 ----N---- C:\WINDOWS\SchedLgU.Txt
2008-11-26 09:53:48 ----HD---- C:\WINDOWS\inf
2008-11-26 08:10:07 ----D---- C:\WINDOWS\Help
2008-11-10 09:31:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-06 09:34:28 ----D---- C:\Program Files\Timberline Office
2008-11-06 09:32:47 ----A---- C:\WINDOWS\ODBC.INI
2008-11-06 08:52:13 ----SHD---- C:\WINDOWS\Installer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-09-26 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-09-26 26824]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2005-03-02 90168]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-09-24 307712]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-07-23 45056]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-28 5761728]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2007-09-24 392960]
R3 SNTNLUSB;SafeNet USB SuperPro/UltraPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2005-03-02 28216]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-26 611664]
R2 ASFAgent;ASF Agent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-26 231704]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]
R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0; c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-03-12 81920]
R2 WinVNC4;WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-07-14 439248]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-05-20 654848]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 FCI;FCI; C:\WINDOWS\system32\svchost.exe [2008-12-03 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-12-03 14336]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.04 2008-12-03 14:59:00

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Standard-->msiexec /I {AC76BA86-1033-0000-BA7E-000000000003}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CleanUp!-->C:\Program Files\CleanUp!\uninstall.exe
Dell ETS Factory Installation-->C:\Program Files\InstallShield Installation Information\{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}\setup.exe -runfromtemp -l0x0009 -removeonly
Digital Voice Recorder-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80EFBB50-5B6C-4A9D-AFBC-C7664AFF252F}\setup.exe" -l0x9 -remove
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Home Budget-->MsiExec.exe /I{F6D0FF05-0B73-436C-B35C-B8392FF17E2A}
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager-->C:\WINDOWS\System32\Imsmudlg.exe
Intel® PRO Alerting Agent-->MsiExec.exe /X{53183B25-FBDC-4B95-856A-DCDD69DFEE18}
Intel® PRO Network Connections 12.1.12.4-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall BASICR /dll OSETUP.DLL
Microsoft Office Basic 2007-->MsiExec.exe /X{91120000-0013-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft SQL Server Desktop Engine-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.16)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
P3W 2.0-->C:\WINDOWS\UNINST16.EXE -fC:\WINDOWS\DeIsL1.isu
Pervasive System Analyzer-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Common Files\Pervasive Software Shared\PSA\psa.isu"
Pervasive.SQL Workgroup v8.10-->C:\WINDOWS\IsUninst.exe -fC:\PVSW\DeIsL1.isu -a -c"C:\PVSW\W32PTKUN.DLL" -mpsql.mif -ppWKGRP
Roxio Activation Module-->MsiExec.exe /I{07159635-9DFE-4105-BFC0-2817DB540C68}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41C6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4C52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ED8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Sage Timberline Estimating-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{B135D220-5B92-4873-9212-8554A40D3965}
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{E9ED0801-253D-4FE9-AB20-F63DEFE72547}
SearchAssist-->C:\DELL\SearchAssist\UninstSA.bat
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Sonic CinePlayer Decoder Pack-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Sprint Desktop Sync-->MsiExec.exe /X{F818A41D-3535-4949-83BB-E41121697A97}
Sprint media manager -->C:\DOCUME~1\ALLUSE~1\APPLIC~1\TARMAI~1\{8912A~1\Setup.exe /remove /q0
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Switch2-->MsiExec.exe /X{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AVG Anti-Virus Free

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\Timberline Office\Shared\;C:\PVSW\BIN;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Common Files\Crystal Decisions\2.5\bin
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"VSL"=C:\PVSW\BIN
"CLASSPATH"=C:\PVSW\BIN\PVJDBC2X.JAR;C:\PVSW\BIN\PVJDBC2.JAR

-----------------EOF-----------------



Thanks for your help.

Edited by Bulldog, 03 December 2008 - 10:44 PM.

bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 05 December 2008 - 02:00 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following....


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Post me these logs in your next reply..

1. SDFix
2. ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 05 December 2008 - 09:03 AM

SD FIX:

SDFix: Version 1.240
Run by Tim on Fri 12/05/2008 at 07:44 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
FCI

Path :
C:\WINDOWS\system32\svchost.exe:ext.exe

FCI - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\tim\Application Data\gadcom\gadcom.exe - Deleted



Folder C:\Documents and Settings\tim\Application Data\gadcom - Removed
Folder C:\Documents and Settings\tim\Application Data\SpeedRunner - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Mjcore - Removed


Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 25088 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.


AFTER IT SAID FINISHED AND IT GAVE ME THE REPORT AUTOMATICALLY I CLOSED THE WINDOW AND I NEVER GOT MY DESKTOP ICONS, I LOGGED OFF AND BACK ON AND MY ICONS APPEARED. HOPEFULLY THIS WAS OK.

I Received this message from Spybot, should I allow change?

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________


Como Report

ComboFix 08-12-04.05 - Tim 2008-12-05 8:19:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1464 [GMT -6:00]
Running from: c:\documents and settings\tim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\tim\Application Data\NI.GSCNS
c:\documents and settings\tim\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\tim\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\tim\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\sv.ini
c:\windows\system32\_003202_.tmp.dll
c:\windows\system32\_003203_.tmp.dll
c:\windows\system32\_003204_.tmp.dll
c:\windows\system32\_003205_.tmp.dll
c:\windows\system32\_003212_.tmp.dll
c:\windows\system32\_003213_.tmp.dll
c:\windows\system32\_003214_.tmp.dll
c:\windows\system32\_003215_.tmp.dll
c:\windows\system32\_003217_.tmp.dll
c:\windows\system32\_003218_.tmp.dll
c:\windows\system32\_003221_.tmp.dll
c:\windows\system32\_003222_.tmp.dll
c:\windows\system32\_003225_.tmp.dll
c:\windows\system32\_003226_.tmp.dll
c:\windows\system32\_003228_.tmp.dll
c:\windows\system32\_003229_.tmp.dll
c:\windows\system32\_003231_.tmp.dll
c:\windows\system32\_003232_.tmp.dll
c:\windows\system32\_003234_.tmp.dll
c:\windows\system32\_003237_.tmp.dll
c:\windows\system32\_003239_.tmp.dll
c:\windows\system32\_003242_.tmp.dll
c:\windows\system32\_003244_.tmp.dll
c:\windows\system32\_003245_.tmp.dll
c:\windows\system32\_003246_.tmp.dll
c:\windows\system32\_003247_.tmp.dll
c:\windows\system32\_003248_.tmp.dll
c:\windows\system32\_003251_.tmp.dll
c:\windows\system32\_003252_.tmp.dll
c:\windows\system32\_003253_.tmp.dll
c:\windows\system32\_003254_.tmp.dll
c:\windows\system32\_003255_.tmp.dll
c:\windows\system32\_003260_.tmp.dll
c:\windows\system32\_003262_.tmp.dll
c:\windows\system32\_003263_.tmp.dll
c:\windows\system32\iifeEVPG.dll
c:\windows\system32\kgirysfo.ini
c:\windows\system32\liimwvti.dll
c:\windows\system32\ofsyrigk.dll
c:\windows\system32\ogbqwhpb.ini
c:\windows\system32\pluvdn.dll
c:\windows\system32\spmjmvvj.dll
c:\windows\system32\urqpPjJY.dll
c:\windows\system32\wfzjqf.dll
c:\windows\system32\x64
c:\windows\system32\YJjPpqru.ini
c:\windows\system32\YJjPpqru.ini2
c:\windows\Tasks\zdlvyhox.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 07:43 . 2008-12-05 07:43 577,536 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-05 07:41 . 2008-12-05 07:41 <DIR> d-------- c:\windows\ERUNT
2008-12-05 07:39 . 2008-12-05 07:52 <DIR> d-------- C:\SDFix
2008-12-04 14:13 . 2008-12-04 16:52 <DIR> d-------- c:\documents and settings\tim\Application Data\Twain
2008-12-04 14:08 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Webtools
2008-12-04 14:04 . 2008-12-04 14:04 114,688 --a------ c:\windows\system32\ilzlpc.dll
2008-12-04 14:04 . 2008-12-04 14:04 114,688 --a------ c:\windows\system32\bxmbbfwq.dll
2008-12-03 14:58 . 2008-12-03 14:58 <DIR> d-------- c:\program files\trend micro
2008-12-03 14:57 . 2008-12-03 15:12 <DIR> d-------- C:\rsit
2008-12-03 14:09 . 2008-12-03 14:09 141,824 --a------ c:\windows\okoqazejowedi.dll
2008-12-03 14:04 . 2008-12-03 14:19 <DIR> d-------- C:\Temp
2008-12-03 13:57 . 2008-12-03 13:57 40,448 --a------ c:\windows\Lceweruqapiweson.dll
2008-12-03 13:57 . 2008-12-03 14:26 40,448 --a------ C:\fjytg.exe
2008-12-03 13:57 . 2008-12-03 14:26 39,424 --a------ C:\bflkwx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 16:20 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 15:34 --------- d-----w c:\program files\Timberline Office
2008-10-24 08:06 --------- d-----w c:\program files\Windows Desktop Search
2008-10-23 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-20 14:51 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-17 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-17 13:09 --------- d-----w c:\program files\HB
2008-10-17 12:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-16 13:55 --------- d-----w c:\documents and settings\tim\Application Data\Windows Search
2008-10-15 16:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-13 16:44 --------- d-----w c:\documents and settings\tim\Application Data\Apple Computer
2008-10-13 14:03 --------- d-----w c:\documents and settings\tim\Application Data\Sprint Desktop Sync
2008-10-13 13:02 --------- d-----w c:\program files\Sprint Instinct Applications
2008-10-07 15:01 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-06 18:10 --------- d-----w c:\program files\Sprint Desktop Sync
2008-10-06 18:09 --------- d-----w c:\program files\Samsung
2008-10-06 18:09 --------- d-----w c:\documents and settings\tim\Application Data\Smith Micro
2008-10-06 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Tarma Installer
2008-10-06 14:58 --------- d-----w c:\documents and settings\tim\Application Data\Roxio
2008-10-05 02:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-05 02:20 --------- d-----w c:\program files\RCA
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-10 738968]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

c:\documents and settings\tim\Start Menu\Programs\Startup\
Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-06 222552]
Switch2.lnk - c:\documents and settings\tim\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe [2008-07-31 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\w3dbsmgr.exe [2008-08-28 102450]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll wfzjqf.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNCserver

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-26 97928]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2008-05-20 30064]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-26 231704]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-03-12 81920]
.
- - - - ORPHANS REMOVED - - - -

BHO-{29db5ec8-75a2-4a3d-9675-fc83c0bf54d3} - c:\windows\system32\wfzjqf.dll
BHO-{AABC228E-86F7-4D42-BD43-4B9FD36B1AD3} - c:\windows\system32\urqpPjJY.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kciconstruction.com/
mStart Page = hxxp://www.dell.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
TCP: {5974ECB9-9298-49E2-BBAF-83F700DEB3B5} = 192.168.1.10,192.168.2.10
FireFox -: Profile - c:\documents and settings\tim\Application Data\Mozilla\Firefox\Profiles\idhlxe2o.default\
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 08:22:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Belkin\Switch2\Switch2.exe
c:\program files\Sprint Instinct Applications\MEMonitor.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-12-05 8:24:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 14:24:52

Pre-Run: 74,913,730,560 bytes free
Post-Run: 74,813,390,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2008-08-06 08:00:12

Hijack This

Logfile of random's system information tool 1.04 (written by random/random)
Run by Tim at 2008-12-05 08:33:43
Microsoft Windows XP Professional Service Pack 3
System drive C: has 71 GB (30%) free of 238 GB
Total RAM: 2005 MB (74% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:33, on 2008-12-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Belkin\Switch2\Switch2.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\tim\Desktop\RSIT.exe
C:\Program Files\trend micro\Tim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kciconstruction.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521
O2 - BHO: (no name) - {29db5ec8-75a2-4a3d-9675-fc83c0bf54d3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AABC228E-86F7-4D42-BD43-4B9FD36B1AD3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Startup: Switch2.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\Software\..\Telephony: DomainName = KCI.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll wfzjqf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WinVNC4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/tim/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 9800 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29db5ec8-75a2-4a3d-9675-fc83c0bf54d3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AABC228E-86F7-4D42-BD43-4B9FD36B1AD3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-06-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-06-28 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-06-28 137752]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-09-24 1036288]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
"Acrobat Speed Launch"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe [2006-10-23 46200]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-13 143360]
"Acrobat Synchronizer"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2007-05-10 738968]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\tim\Start Menu\Programs\Startup
Sprint media monitor.lnk - C:\WINDOWS\RM.exe
Switch2.lnk - C:\Documents and Settings\tim\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll wfzjqf.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-28 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\PVSW\Bin\w3dbsmgr.exe"="C:\PVSW\Bin\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

======List of files/folders created in the last 1 months======

2008-12-05 08:24:55 ----A---- C:\ComboFix.txt
2008-12-05 08:19:11 ----A---- C:\Boot.bak
2008-12-05 08:19:07 ----RASHD---- C:\cmdcons
2008-12-05 08:17:48 ----A---- C:\WINDOWS\zip.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\VFIND.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\SWSC.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\SWREG.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\sed.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\grep.exe
2008-12-05 08:17:48 ----A---- C:\WINDOWS\fdsv.exe
2008-12-05 08:17:44 ----D---- C:\WINDOWS\ERDNT
2008-12-05 08:17:44 ----D---- C:\Qoobox
2008-12-05 08:17:44 ----D---- C:\ComboFix
2008-12-05 07:41:44 ----D---- C:\WINDOWS\ERUNT
2008-12-05 07:39:25 ----D---- C:\SDFix
2008-12-05 07:33:40 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-04 14:13:21 ----D---- C:\Documents and Settings\tim\Application Data\Twain
2008-12-04 14:08:21 ----D---- C:\Program Files\Webtools
2008-12-04 14:04:57 ----A---- C:\WINDOWS\system32\ilzlpc.dll
2008-12-04 14:04:56 ----A---- C:\WINDOWS\system32\bxmbbfwq.dll
2008-12-03 14:58:18 ----D---- C:\Program Files\trend micro
2008-12-03 14:57:38 ----D---- C:\rsit
2008-12-03 14:09:14 ----A---- C:\WINDOWS\okoqazejowedi.dll
2008-12-03 14:04:57 ----D---- C:\Temp
2008-12-03 14:02:26 ----A---- C:\WINDOWS\system32\b7144431-.txt
2008-12-03 13:57:07 ----A---- C:\WINDOWS\Lceweruqapiweson.dll
2008-12-03 13:57:07 ----A---- C:\bflkwx.exe
2008-12-03 13:57:05 ----A---- C:\fjytg.exe

======List of files/folders modified in the last 1 months======

2008-12-05 08:33:55 ----D---- C:\WINDOWS\Temp
2008-12-05 08:32:10 ----D---- C:\Program Files\Mozilla Firefox
2008-12-05 08:24:58 ----D---- C:\WINDOWS\system32\drivers
2008-12-05 08:24:58 ----D---- C:\WINDOWS\system32
2008-12-05 08:24:58 ----D---- C:\WINDOWS
2008-12-05 08:22:45 ----A---- C:\WINDOWS\system.ini
2008-12-05 08:20:32 ----D---- C:\WINDOWS\system32\config
2008-12-05 08:19:56 ----D---- C:\WINDOWS\AppPatch
2008-12-05 08:19:56 ----D---- C:\Program Files\Common Files
2008-12-05 08:19:49 ----SD---- C:\WINDOWS\Tasks
2008-12-05 08:19:11 ----RASH---- C:\boot.ini
2008-12-05 08:18:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-05 08:17:48 ----D---- C:\WINDOWS\Prefetch
2008-12-05 07:50:53 ----RD---- C:\Program Files
2008-12-05 07:43:25 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-05 07:36:20 ----D---- C:\WINDOWS\security
2008-12-05 01:52:28 ----HD---- C:\$AVG8.VAULT$
2008-12-04 16:18:05 ----A---- C:\WINDOWS\wininit.ini
2008-12-04 10:20:23 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 14:26:23 ----A---- C:\WINDOWS\system32\svchost.exe
2008-12-02 09:25:31 ----D---- C:\WINDOWS\system32\FxsTmp
2008-11-26 10:23:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-26 09:53:48 ----HD---- C:\WINDOWS\inf
2008-11-26 08:10:07 ----D---- C:\WINDOWS\Help
2008-11-10 09:31:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-06 09:34:28 ----D---- C:\Program Files\Timberline Office
2008-11-06 09:32:47 ----A---- C:\WINDOWS\ODBC.INI
2008-11-06 08:52:13 ----SHD---- C:\WINDOWS\Installer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-09-26 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-09-26 26824]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2005-03-02 90168]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-09-24 307712]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-07-23 45056]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-28 5761728]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2007-09-24 392960]
R3 SNTNLUSB;SafeNet USB SuperPro/UltraPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2005-03-02 28216]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-26 611664]
R2 ASFAgent;ASF Agent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-26 231704]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]
R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0; c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-03-12 81920]
R2 WinVNC4;WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-07-14 439248]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-05-20 654848]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-12-03 14336]

-----------------EOF-----------------


Thank you for your help so far!!

Edited by Bulldog, 05 December 2008 - 09:36 AM.

bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 05 December 2008 - 01:09 PM

Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)


Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\ilzlpc.dll
c:\windows\system32\bxmbbfwq.dll
c:\windows\okoqazejowedi.dll
c:\windows\Lceweruqapiweson.dll
C:\fjytg.exe
C:\bflkwx.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 05 December 2008 - 01:22 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 05 December 2008 - 02:17 PM

ComboFix 08-12-05.01 - Tim 2008-12-05 12:59:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1490 [GMT -6:00]
Running from: c:\documents and settings\tim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\tim\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\bflkwx.exe
C:\fjytg.exe
c:\windows\Lceweruqapiweson.dll
c:\windows\okoqazejowedi.dll
c:\windows\system32\bxmbbfwq.dll
c:\windows\system32\ilzlpc.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bflkwx.exe
C:\fjytg.exe
c:\windows\Lceweruqapiweson.dll
c:\windows\okoqazejowedi.dll
c:\windows\system32\bxmbbfwq.dll
c:\windows\system32\ilzlpc.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 07:43 . 2008-12-05 07:43 577,536 --a------ c:\windows\system32\dllcache\user32.dll
2008-12-05 07:41 . 2008-12-05 07:41 <DIR> d-------- c:\windows\ERUNT
2008-12-05 07:39 . 2008-12-05 07:52 <DIR> d-------- C:\SDFix
2008-12-04 14:13 . 2008-12-04 16:52 <DIR> d-------- c:\documents and settings\tim\Application Data\Twain
2008-12-04 14:08 . 2008-12-05 01:52 <DIR> d-------- c:\program files\Webtools
2008-12-03 14:58 . 2008-12-05 12:51 <DIR> d-------- c:\program files\trend micro
2008-12-03 14:57 . 2008-12-03 15:12 <DIR> d-------- C:\rsit
2008-12-03 14:04 . 2008-12-03 14:19 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 15:34 --------- d-----w c:\program files\Timberline Office
2008-10-24 08:06 --------- d-----w c:\program files\Windows Desktop Search
2008-10-23 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-20 14:51 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-17 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-17 13:09 --------- d-----w c:\program files\HB
2008-10-17 12:56 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-16 13:55 --------- d-----w c:\documents and settings\tim\Application Data\Windows Search
2008-10-15 16:07 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-13 16:44 --------- d-----w c:\documents and settings\tim\Application Data\Apple Computer
2008-10-13 14:03 --------- d-----w c:\documents and settings\tim\Application Data\Sprint Desktop Sync
2008-10-13 13:02 --------- d-----w c:\program files\Sprint Instinct Applications
2008-10-07 15:01 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-06 18:10 --------- d-----w c:\program files\Sprint Desktop Sync
2008-10-06 18:09 --------- d-----w c:\program files\Samsung
2008-10-06 18:09 --------- d-----w c:\documents and settings\tim\Application Data\Smith Micro
2008-10-06 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Tarma Installer
2008-10-06 14:58 --------- d-----w c:\documents and settings\tim\Application Data\Roxio
2008-10-05 02:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-05 02:20 --------- d-----w c:\program files\RCA
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_ 8.24.36.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 19:02:01 16,384 ----atw c:\windows\temp\Perflib_Perfdata_724.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 1036288]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-10 738968]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

c:\documents and settings\tim\Start Menu\Programs\Startup\
Sprint media monitor.lnk - c:\windows\RM.exe [2008-10-06 222552]
Switch2.lnk - c:\documents and settings\tim\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe [2008-07-31 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\w3dbsmgr.exe [2008-08-28 102450]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNCserver

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-26 97928]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2008-05-20 30064]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-26 231704]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-03-12 81920]
.
- - - - ORPHANS REMOVED - - - -

BHO-{29db5ec8-75a2-4a3d-9675-fc83c0bf54d3} - (no file)
BHO-{AABC228E-86F7-4D42-BD43-4B9FD36B1AD3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kciconstruction.com/
mStart Page = hxxp://www.dell.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {5974ECB9-9298-49E2-BBAF-83F700DEB3B5} = 192.168.1.10,192.168.2.10
FireFox -: Profile - c:\documents and settings\tim\Application Data\Mozilla\Firefox\Profiles\idhlxe2o.default\
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 13:02:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Sprint Instinct Applications\MEMonitor.exe
c:\program files\Belkin\Switch2\Switch2.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-12-05 13:05:27 - machine was rebooted [Tim]
ComboFix-quarantined-files.txt 2008-12-05 19:05:24
ComboFix2.txt 2008-12-05 14:24:55

Pre-Run: 74,813,497,344 bytes free
Post-Run: 74,799,058,944 bytes free

157 --- E O F --- 2008-08-06 08:00:12

Logfile of random's system information tool 1.04 (written by random/random)
Run by Tim at 2008-12-05 13:15:12
Microsoft Windows XP Professional Service Pack 3
System drive C: has 71 GB (30%) free of 238 GB
Total RAM: 2005 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15, on 2008-12-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\Belkin\Switch2\Switch2.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tim\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\Tim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kciconstruction.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Startup: Switch2.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\Software\..\Telephony: DomainName = KCI.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WinVNC4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/tim/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 9080 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-06-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-06-28 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-06-28 137752]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-09-24 1036288]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
"Acrobat Speed Launch"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe [2006-10-23 46200]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-13 143360]
"Acrobat Synchronizer"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2007-05-10 738968]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\tim\Start Menu\Programs\Startup
Sprint media monitor.lnk - C:\WINDOWS\RM.exe
Switch2.lnk - C:\Documents and Settings\tim\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-28 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\PVSW\Bin\w3dbsmgr.exe"="C:\PVSW\Bin\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

======List of files/folders created in the last 1 months======

2008-12-05 13:08:41 ----SHD---- C:\RECYCLER
2008-12-05 13:05:29 ----A---- C:\ComboFix.txt
2008-12-05 13:01:07 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-12-05 13:01:03 ----D---- C:\WINDOWS\temp
2008-12-05 12:59:23 ----A---- C:\WINDOWS\zip.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\VFIND.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\SWSC.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\SWREG.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\sed.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\grep.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\fdsv.exe
2008-12-05 08:19:11 ----A---- C:\Boot.bak
2008-12-05 08:19:07 ----RASHD---- C:\cmdcons
2008-12-05 08:17:48 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-05 08:17:44 ----D---- C:\WINDOWS\ERDNT
2008-12-05 08:17:44 ----D---- C:\Qoobox
2008-12-05 07:41:44 ----D---- C:\WINDOWS\ERUNT
2008-12-05 07:39:25 ----D---- C:\SDFix
2008-12-04 14:13:21 ----D---- C:\Documents and Settings\tim\Application Data\Twain
2008-12-04 14:08:21 ----D---- C:\Program Files\Webtools
2008-12-03 14:58:18 ----D---- C:\Program Files\trend micro
2008-12-03 14:57:38 ----D---- C:\rsit
2008-12-03 14:04:57 ----D---- C:\Temp
2008-12-03 14:02:26 ----A---- C:\WINDOWS\system32\b7144431-.txt

======List of files/folders modified in the last 1 months======

2008-12-05 13:11:25 ----D---- C:\WINDOWS
2008-12-05 13:07:48 ----D---- C:\WINDOWS\Prefetch
2008-12-05 13:05:57 ----D---- C:\Program Files\Mozilla Firefox
2008-12-05 13:05:37 ----D---- C:\WINDOWS\system32\drivers
2008-12-05 13:05:37 ----D---- C:\WINDOWS\system32
2008-12-05 13:02:57 ----A---- C:\WINDOWS\system.ini
2008-12-05 13:02:12 ----D---- C:\WINDOWS\security
2008-12-05 13:00:44 ----D---- C:\WINDOWS\AppPatch
2008-12-05 13:00:44 ----D---- C:\Program Files\Common Files
2008-12-05 12:59:36 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-05 12:46:27 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-05 09:23:34 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 08:20:32 ----D---- C:\WINDOWS\system32\config
2008-12-05 08:19:49 ----SD---- C:\WINDOWS\Tasks
2008-12-05 08:19:11 ----RASH---- C:\boot.ini
2008-12-05 07:50:53 ----RD---- C:\Program Files
2008-12-05 07:43:25 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-05 01:52:28 ----HD---- C:\$AVG8.VAULT$
2008-12-04 16:18:05 ----A---- C:\WINDOWS\wininit.ini
2008-12-03 14:26:23 ----A---- C:\WINDOWS\system32\svchost.exe
2008-12-02 09:25:31 ----D---- C:\WINDOWS\system32\FxsTmp
2008-11-26 09:53:48 ----HD---- C:\WINDOWS\inf
2008-11-26 08:10:07 ----D---- C:\WINDOWS\Help
2008-11-10 09:31:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-06 09:34:28 ----D---- C:\Program Files\Timberline Office
2008-11-06 09:32:47 ----A---- C:\WINDOWS\ODBC.INI
2008-11-06 08:52:13 ----SHD---- C:\WINDOWS\Installer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-09-26 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-09-26 26824]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2005-03-02 90168]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-09-24 307712]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-07-23 45056]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-28 5761728]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2007-09-24 392960]
R3 SNTNLUSB;SafeNet USB SuperPro/UltraPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2005-03-02 28216]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R4 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-26 611664]
R2 ASFAgent;ASF Agent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-26 231704]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]
R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0; c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-03-12 81920]
R2 WinVNC4;WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-07-14 439248]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-05-20 654848]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-12-03 14336]

-----------------EOF-----------------


I couldnt get Hijack this to save a log file. It keep saying that there was a problem with my Timberline program and that I amy need to uninstall it and reinstall. I finally got it to save a log file and click on the file and it said the same thing. I got this log by running the RSIT.exe file and copying the log.
bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 05 December 2008 - 11:07 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply...

1. Malwarebytes'
2. ESET Online Scanner
3. Tell me, how is your computer now?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 08 December 2008 - 08:27 AM

I was unable to run the ESET online sanner. It gave me a page error.

Here is the log from Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.31
Database version: 1467
Windows 5.1.2600 Service Pack 3

2008-12-08 07:16:40
mbam-log-2008-12-08 (07-16-40).txt

Scan type: Full Scan (C:\|H:\|R:\|)
Objects scanned: 141472
Time elapsed: 1 hour(s), 15 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bb27e562-7970-4e6c-877d-22c5b2eb0557} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\bflkwx.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\fjytg.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Lceweruqapiweson.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bxmbbfwq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iifeEVPG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ilzlpc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\liimwvti.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ofsyrigk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pluvdn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\spmjmvvj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\urqpPjJY.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wfzjqf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

Computer isnt auto connecting to the internet any more, and self directing to unwanted websites, computer is alot better :thumbsup:

Edited by Bulldog, 08 December 2008 - 08:48 AM.

bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 08 December 2008 - 08:59 AM

Erm.. lets do another online scanner.. Just to see what might left..


Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
Then, please download and install the latest Java from HERE



Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 08 December 2008 - 09:03 AM

I went directly to the ESET website and clicked on threat center, then the online scanner and I am able to get the scanner to work and it is scanning. I tried to edit my message from before but you already responded.

I was just redirected to a findstuff website, after clicking on bleeping computer on google. In the URL it said google.goored

ESET results:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3671 (20081208)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=0d38f46b05918f4b8247f6724095bbef
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-08 03:26:30
# local_time=2008-12-08 09:26:30 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=295432
# found=0
# scan_time=5049

Edited by Bulldog, 08 December 2008 - 10:33 AM.

bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 08 December 2008 - 11:14 AM

It's okay.. Your log looks very good to me... :thumbsup:

I was just redirected to a findstuff website, after clicking on bleeping computer on google. In the URL it said google.goored


Err.. you click on BC on Google but re-directed to a findstuff webby?.. erm.. Interesting, mind share the full url?.. Just replace the http: with hxxp:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 08 December 2008 - 11:39 AM

When you click on Bleeping Computer in the google results it quickly shows this:

hxxp://google.goored.com/c.php?url=http%3A%2F%2Fwww.bleepingcomputer.com%2F&p=0

The changes to a variety of different sites this time it went to this one:

hxxp://www.americanmodernliving.com/search.aspx?keywords=computer

in the tab at the bottom of the page it will usually give you the name of site you are at with this site the www.americanmodernliving.com it just says Search Results.

sometimes instead of google.goored, it has said something redirect. if it pops up ill post it as well.

List of cookies deleted:

Removed Cookie: google.com
Removed Cookie: t.websearchmaster.net
Removed Cookie: 64.111.196.117
Removed Cookie: looksmart.com
Removed Cookie: www.americanmodernliving.com
Removed Cookie: americanmodernliving.com
Removed Cookie: counter.surfcounters.com
Removed Cookie: tracking.foundry42.com
Removed Cookie: ads.bleepingcomputer.com
Removed Cookie: bleepingcomputer.com
Removed Cookie: bbc.co.uk
Removed Cookie: 66.230.188.67

Edited by Bulldog, 08 December 2008 - 11:45 AM.

bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 08 December 2008 - 11:52 AM

Ok.. Post a fresh RSIT log.txt please.. I want to see if you got any infection from that webby :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 08 December 2008 - 12:09 PM

Logfile of random's system information tool 1.04 (written by random/random)
Run by Tim at 2008-12-08 11:08:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 71 GB (30%) free of 238 GB
Total RAM: 2005 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08, on 2008-12-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\program files\timberline office\shared\sage.servicehost.host.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\Belkin\Switch2\Switch2.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\tim\Desktop\RSIT.exe
C:\Program Files\trend micro\HijackThis\Tim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kciconstruction.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521
O2 - BHO: (no name) - {29db5ec8-75a2-4a3d-9675-fc83c0bf54d3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AABC228E-86F7-4D42-BD43-4B9FD36B1AD3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Startup: Switch2.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\Software\..\Telephony: DomainName = KCI.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KCI.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{5974ECB9-9298-49E2-BBAF-83F700DEB3B5}: NameServer = 192.168.1.10,192.168.2.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sage Service Host v1.0 (Sage.ServiceHost.Host.1.0) - Sage Software, Inc. - c:\program files\timberline office\shared\sage.servicehost.host.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: WinVNC4 - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/tim/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 9715 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29db5ec8-75a2-4a3d-9675-fc83c0bf54d3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AABC228E-86F7-4D42-BD43-4B9FD36B1AD3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-06-28 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-06-28 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-06-28 137752]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-09-24 1036288]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]
"Acrobat Speed Launch"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe [2006-10-23 46200]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2008-04-13 143360]
"Acrobat Synchronizer"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2007-05-10 738968]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
""= []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-12-03 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2006-09-11 218032]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"CleanUp!"=C:\Program Files\CleanUp!\Cleanup.exe [2006-06-25 442368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\tim\Start Menu\Programs\Startup
Sprint media monitor.lnk - C:\WINDOWS\RM.exe
Switch2.lnk - C:\Documents and Settings\tim\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-28 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\PVSW\Bin\w3dbsmgr.exe"="C:\PVSW\Bin\w3dbsmgr.exe:*:Enabled:Database Service Manager"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

======List of files/folders created in the last 1 months======

2008-12-08 09:29:25 ----D---- C:\WINDOWS\LastGood
2008-12-08 07:58:18 ----D---- C:\Program Files\EsetOnlineScanner
2008-12-06 13:00:31 ----D---- C:\Documents and Settings\tim\Application Data\Malwarebytes
2008-12-06 13:00:25 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-06 13:00:25 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-05 13:08:41 ----SHD---- C:\RECYCLER
2008-12-05 13:05:29 ----A---- C:\ComboFix.txt
2008-12-05 13:01:07 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-12-05 13:01:03 ----D---- C:\WINDOWS\temp
2008-12-05 12:59:23 ----A---- C:\WINDOWS\zip.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\VFIND.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\SWSC.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\SWREG.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\sed.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\grep.exe
2008-12-05 12:59:23 ----A---- C:\WINDOWS\fdsv.exe
2008-12-05 08:19:11 ----A---- C:\Boot.bak
2008-12-05 08:19:07 ----RASHD---- C:\cmdcons
2008-12-05 08:17:48 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-05 08:17:44 ----D---- C:\WINDOWS\ERDNT
2008-12-05 08:17:44 ----D---- C:\Qoobox
2008-12-05 07:41:44 ----D---- C:\WINDOWS\ERUNT
2008-12-05 07:39:25 ----D---- C:\SDFix
2008-12-04 14:13:21 ----D---- C:\Documents and Settings\tim\Application Data\Twain
2008-12-03 14:58:18 ----D---- C:\Program Files\trend micro
2008-12-03 14:57:38 ----D---- C:\rsit
2008-12-03 14:04:57 ----D---- C:\Temp
2008-12-03 14:02:26 ----A---- C:\WINDOWS\system32\b7144431-.txt

======List of files/folders modified in the last 1 months======

2008-12-08 11:03:36 ----D---- C:\Program Files\Mozilla Firefox
2008-12-08 10:33:15 ----D---- C:\WINDOWS
2008-12-08 09:42:36 ----D---- C:\WINDOWS\Prefetch
2008-12-08 09:29:38 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-08 09:29:37 ----D---- C:\WINDOWS\system32
2008-12-08 07:58:18 ----RD---- C:\Program Files
2008-12-08 07:58:02 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-08 01:50:54 ----HD---- C:\$AVG8.VAULT$
2008-12-07 19:08:24 ----D---- C:\WINDOWS\security
2008-12-06 13:00:28 ----D---- C:\WINDOWS\system32\drivers
2008-12-05 13:25:41 ----N---- C:\WINDOWS\SchedLgU.Txt
2008-12-05 13:02:57 ----A---- C:\WINDOWS\system.ini
2008-12-05 13:00:44 ----D---- C:\WINDOWS\AppPatch
2008-12-05 13:00:44 ----D---- C:\Program Files\Common Files
2008-12-05 09:23:34 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 08:20:32 ----D---- C:\WINDOWS\system32\config
2008-12-05 08:19:49 ----SD---- C:\WINDOWS\Tasks
2008-12-05 08:19:11 ----RASH---- C:\boot.ini
2008-12-05 07:43:25 ----SHD---- C:\WINDOWS\system32\dllcache
2008-12-04 16:18:05 ----A---- C:\WINDOWS\wininit.ini
2008-12-03 14:26:23 ----A---- C:\WINDOWS\system32\svchost.exe
2008-12-02 09:25:31 ----D---- C:\WINDOWS\system32\FxsTmp
2008-11-26 09:53:48 ----HD---- C:\WINDOWS\inf
2008-11-26 08:10:07 ----D---- C:\WINDOWS\Help
2008-11-10 09:31:34 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-09-26 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-09-26 26824]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-07-23 30064]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [2007-07-23 37360]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [2007-07-23 32848]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [2007-07-23 9104]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [2007-07-23 108752]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [2007-07-23 27216]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [2007-07-23 16304]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [2007-07-23 98448]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [2007-07-23 93552]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-07-23 52000]
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2005-03-02 90168]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-09-24 307712]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-04-13 254872]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-07-23 45056]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-06-28 5761728]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2007-09-24 392960]
R3 SNTNLUSB;SafeNet USB SuperPro/UltraPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2005-03-02 28216]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-26 611664]
R2 ASFAgent;ASF Agent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2007-01-23 133968]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-26 231704]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]
R2 MSSQLSERVER;MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [2002-12-17 7520337]
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0; c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-03-12 81920]
R2 WinVNC4;WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-07-14 439248]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-05-20 654848]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE [2002-12-17 311872]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-07-11 69632]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-12-03 14336]

-----------------EOF-----------------

I had to shut down to make some changes to my computer and I received this message on start up.

Posted Image

Edited by Bulldog, 08 December 2008 - 01:42 PM.

bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 08 December 2008 - 01:41 PM

Hello.. Sorry, got something to do just now.. Anyhow, I just receive a tip from an expert.. Lets do this..


Please go to Start >> Run >> Copy/Paste command below >> Press Enter

REGEDIT /E "%USERPROFILE%\Desktop\result.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox"

A new textfile result.txt will be created on your Desktop. Please post its content in your next reply..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Bulldog

Bulldog
  • Topic Starter

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:01:40 AM

Posted 08 December 2008 - 01:45 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\\Program Files\\AVG\\AVG8\\Firefox"
"{9763EBE6-D153-48E8-898B-973560127250}"="C:\\Documents and Settings\\tim\\Local Settings\\Application Data\\{9763EBE6-D153-48E8-898B-973560127250}"

see desktop photo above not sure if it means anything. the default home page url is what gets me.
bulldogsmall6ma.jpg


"And in the end it's not the years in your life that count. It's the life in your years." - Abe Lincoln




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users