Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified browser redirect


  • This topic is locked This topic is locked
18 replies to this topic

#1 TLIT

TLIT

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 27 January 2009 - 06:43 PM

I have a PC with a browser redirect problem. It redirects google searches to random sites and blocks me from downloading mal/spy/virus applications or updates. I have run every scanner I can locate and they all show 0 infections. I can temporarily use Opera to get by but need to use IE eventually. This is the HiJackThis log, any help would be appreciated, Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:22 PM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\TeamLogicIT Temp\KRlyCLis.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080506
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080506
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=6080506
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233035862306
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JMIInstrument.local
O17 - HKLM\Software\..\Telephony: DomainName = JMIInstrument.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JMIInstrument.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = JMIInstrument.local
O20 - AppInit_DLLs: ukrmgj.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10924 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 05 February 2009 - 02:13 PM

Hi TLIT,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Set the scan files/folders to 3 mounts.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.
You might want to save this page on your favorites, so you can find it again when you return.

#3 TLIT

TLIT
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 05 February 2009 - 02:59 PM

Thanks for your help farbar.

The Opera browser was randomly opening websites so I ran Malwarebytes again and removed 13 items.

The laptop is still having problems with IE and google redirects/access to antivirus websites, etc...

Here are the new log and info files.

Attached Files

  • Attached File  info.txt   28.57KB   33 downloads
  • Attached File  log.txt   49.57KB   27 downloads


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 05 February 2009 - 04:30 PM

We have some serious work to do. But before that:
  • Pleas tell me what type of connection you have? Cable or Dialup.
    Tell me also if you know this domain:

    JMIInstrument.local

  • Tell me what is on drive E (should be DC/DVD-Rom)? This file looks legit but we want to make sure. Do you know this file:

    E:\asrun.exe


#5 TLIT

TLIT
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 05 February 2009 - 05:05 PM

It is a cable connection.

Yes, JMIInstrument.local is our domain.

E: was a flash drive that has been removed, I don't know what the asrun.exe file was, it wasn't executed though.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 05 February 2009 - 05:24 PM

AVG is outdated but we attend to that later on.
  • Please open HiJackThis in this way: Go to start > Run and copy and paste the following and click OK:

    "C:\Program Files\Trend Micro\HijackThis\aaron.exe"

    Then choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O2 - BHO: {996be2a9-e595-5028-e7b4-42cf7a512210} - {012215a7-fc24-4b7e-8205-595e9a2eb699} - C:\WINDOWS\system32\tbesuo.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnoOIcA.dll
    O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -
    O20 - AppInit_DLLs: ukrmgj.dll


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The log of Combofix.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#7 TLIT

TLIT
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 05 February 2009 - 06:38 PM

Farbar,

Combofix detected rootkit activity and rebooted the system twice durring processing, each time after logging in combofix continued. Otherwise everything went fine. I did have to remove AVG 7.5, it could not be stopped, it is a network version and there are no controls to stop it, I hope that was better than letting it run durring the combofix. I have an updated version to install when you give me the go ahead.

Here is the HiJackThis log:

Logfile of random's system information tool 1.05 (written by random/random)
Run by aaron at 2009-02-05 17:29:30
Microsoft Windows XP Professional Service Pack 3
System drive C: has 88 GB (77%) free of 114 GB
Total RAM: 2038 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:29, on 2009-02-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\TeamLogicIT Temp\KRlyCLis.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe
C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Aaron.JMIINSTRUMENT\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\aaron.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080506
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=6080506
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe"
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233035862306
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JMIInstrument.local
O17 - HKLM\Software\..\Telephony: DomainName = JMIInstrument.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JMIInstrument.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = JMIInstrument.local
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\TeamLogic IT\Agent\AgentMon.exe
O23 - Service: Kaseya Security Service (KaseyaAVService) - Unknown owner - C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10394 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Apoint"=C:\Program Files\Apoint\Apoint.exe [2007-01-25 159744]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-05-18 138008]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-05-18 162584]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-05-18 138008]
"Dell QuickSet"=C:\Program Files\Dell\QuickSet\quickset.exe [2007-05-14 1191936]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2007-10-09 2183168]
"WavXMgr"=C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [2007-09-10 92160]
"SecureUpgrade"=C:\Program Files\Wave Systems Corp\SecureUpgrade.exe [2007-09-14 218424]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-12-05 405504]
"KADxMain"=C:\WINDOWS\system32\KADxMain.exe [2006-11-02 282624]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"Kaseya Agent Service Helper"=C:\Program Files\TeamLogic IT\Agent\KaUsrTsk.exe [2008-09-04 229376]
"DellNSCST_GRNCH"=C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe [2006-12-05 278528]
"ScreenPrint32"=C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe [2003-05-15 446464]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Speed Launch]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe [2006-10-23 46200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Synchronizer]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2007-05-10 738968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [2007-09-17 124200]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2006-08-17 1116920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-07-30 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\PROGRA~1\DIGITA~1\DLG.exe [2006-11-03 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
C:\PROGRA~1\WINDOW~4\WINDOW~1.EXE [2007-02-05 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gemsafe]
C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll [2006-11-16 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-05-18 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
wvauth

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe"="C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe:*:Disabled:DNSCST Module"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe"="C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe"="C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe:*:Enabled:DNSCST Module"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Business Solutions-Navision\Client\AtDebug.exe"="C:\Program Files\Microsoft Business Solutions-Navision\Client\AtDebug.exe:*:Enabled:Microsoft Business Solutions-Navision Debugger"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b099bcb-25a8-11dd-b266-001c234d15d6}]
shell\AutoRun\command - E:\asrun.exe Start.htm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77dc4115-3e00-11dd-b287-001c234d15d6}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-02-05 17:26:57 ----D---- C:\WINDOWS\temp
2009-02-05 17:26:53 ----A---- C:\ComboFix.txt
2009-02-05 16:59:45 ----A---- C:\Boot.bak
2009-02-05 16:59:33 ----RASHD---- C:\cmdcons
2009-02-05 16:39:08 ----A---- C:\WINDOWS\zip.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\VFIND.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\SWSC.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\SWREG.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\sed.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\NIRCMD.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\grep.exe
2009-02-05 16:39:08 ----A---- C:\WINDOWS\fdsv.exe
2009-02-05 16:38:59 ----D---- C:\WINDOWS\ERDNT
2009-02-05 16:38:59 ----D---- C:\Qoobox
2009-02-05 13:50:27 ----D---- C:\rsit
2009-02-03 12:12:08 ----N---- C:\WINDOWS\system32\clickfile.exe
2009-02-02 11:47:07 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-02-02 11:47:07 ----D---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\Yahoo!
2009-02-02 11:47:05 ----D---- C:\Program Files\Yahoo!
2009-01-27 07:44:23 ----D---- C:\WINDOWS\SQL9_KB954606_ENU
2009-01-27 07:43:23 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2009-01-27 05:41:09 ----D---- C:\WINDOWS\Prefetch
2009-01-27 01:01:14 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-27 01:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-27 01:00:57 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-27 01:00:49 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2009-01-27 01:00:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-01-27 01:00:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-01-27 00:59:53 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-27 00:59:41 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-27 00:59:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-27 00:59:15 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-01-27 00:59:04 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-01-27 00:58:52 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-01-27 00:58:41 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-01-27 00:58:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-01-27 00:58:19 ----HDC---- C:\WINDOWS\$NtUninstallKB951618-v2$
2009-01-27 00:58:01 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-01-27 00:57:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2009-01-27 00:57:32 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-01-27 00:57:24 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-01-27 00:57:12 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-01-27 00:57:02 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-01-27 00:56:42 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-01-27 00:51:30 ----D---- C:\WINDOWS\system32\scripting
2009-01-27 00:51:30 ----D---- C:\WINDOWS\l2schemas
2009-01-27 00:51:29 ----D---- C:\WINDOWS\system32\en
2009-01-27 00:51:29 ----D---- C:\WINDOWS\system32\bits
2009-01-27 00:49:33 ----D---- C:\WINDOWS\ServicePackFiles
2009-01-27 00:36:59 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-01-27 00:30:14 ----A---- C:\WINDOWS\system32\wmphoto.dll
2009-01-27 00:30:13 ----A---- C:\WINDOWS\system32\wlanapi.dll
2009-01-27 00:30:12 ----A---- C:\WINDOWS\system32\windowscodecsext.dll
2009-01-27 00:30:12 ----A---- C:\WINDOWS\system32\windowscodecs.dll
2009-01-27 00:30:09 ----A---- C:\WINDOWS\system32\tspkg.dll
2009-01-27 00:30:06 ----A---- C:\WINDOWS\system32\spupdwxp.exe
2009-01-27 00:30:06 ----A---- C:\WINDOWS\system32\spdwnwxp.exe
2009-01-27 00:30:04 ----N---- C:\WINDOWS\slrundll.exe
2009-01-27 00:30:04 ----A---- C:\WINDOWS\system32\slserv.exe
2009-01-27 00:30:04 ----A---- C:\WINDOWS\system32\slrundll.exe
2009-01-27 00:30:04 ----A---- C:\WINDOWS\system32\slgen.dll
2009-01-27 00:30:04 ----A---- C:\WINDOWS\system32\slextspk.dll
2009-01-27 00:30:04 ----A---- C:\WINDOWS\system32\slcoinst.dll
2009-01-27 00:30:02 ----A---- C:\WINDOWS\system32\setupn.exe
2009-01-27 00:30:02 ----A---- C:\WINDOWS\system32\s3gnb.dll
2009-01-27 00:30:00 ----A---- C:\WINDOWS\system32\rasqec.dll
2009-01-27 00:30:00 ----A---- C:\WINDOWS\system32\qutil.dll
2009-01-27 00:29:59 ----A---- C:\WINDOWS\system32\qcliprov.dll
2009-01-27 00:29:59 ----A---- C:\WINDOWS\system32\qagentrt.dll
2009-01-27 00:29:59 ----A---- C:\WINDOWS\system32\qagent.dll
2009-01-27 00:29:58 ----A---- C:\WINDOWS\system32\photometadatahandler.dll
2009-01-27 00:29:58 ----A---- C:\WINDOWS\system32\onex.dll
2009-01-27 00:29:55 ----A---- C:\WINDOWS\system32\napstat.exe
2009-01-27 00:29:55 ----A---- C:\WINDOWS\system32\napmontr.dll
2009-01-27 00:29:55 ----A---- C:\WINDOWS\system32\napipsec.dll
2009-01-27 00:29:55 ----A---- C:\WINDOWS\system32\mtxparhd.dll
2009-01-27 00:29:54 ----A---- C:\WINDOWS\system32\msxml6r.dll
2009-01-27 00:29:54 ----A---- C:\WINDOWS\system32\msshavmsg.dll
2009-01-27 00:29:54 ----A---- C:\WINDOWS\system32\mssha.dll
2009-01-27 00:29:48 ----A---- C:\WINDOWS\system32\mmcperf.exe
2009-01-27 00:29:48 ----A---- C:\WINDOWS\system32\mmcfxcommon.dll
2009-01-27 00:29:48 ----A---- C:\WINDOWS\system32\mmcex.dll
2009-01-27 00:29:48 ----A---- C:\WINDOWS\system32\microsoft.managementconsole.dll
2009-01-27 00:29:42 ----A---- C:\WINDOWS\system32\l2gpstore.dll
2009-01-27 00:29:42 ----A---- C:\WINDOWS\system32\kmsvc.dll
2009-01-27 00:29:42 ----A---- C:\WINDOWS\system32\kbdpash.dll
2009-01-27 00:29:42 ----A---- C:\WINDOWS\system32\kbdnepr.dll
2009-01-27 00:29:42 ----A---- C:\WINDOWS\system32\kbdiultn.dll
2009-01-27 00:29:42 ----A---- C:\WINDOWS\system32\kbdbhc.dll
2009-01-27 00:29:37 ----A---- C:\WINDOWS\system32\smtpapi.dll
2009-01-27 00:29:37 ----A---- C:\WINDOWS\system32\rwnh.dll
2009-01-27 00:29:36 ----A---- C:\WINDOWS\system32\comsdupd.exe
2009-01-27 00:29:33 ----A---- C:\WINDOWS\system32\hsfcisp2.dll
2009-01-27 00:29:30 ----A---- C:\WINDOWS\system32\faxpatch.exe
2009-01-27 00:29:30 ----A---- C:\WINDOWS\003019_.tmp
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eapsvc.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eapqec.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eappprxy.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eapphost.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eappgnui.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eappcfg.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eapp3hst.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\eapolqec.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3ui.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3svc.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3msm.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3gpclnt.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3dlg.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3cfg.dll
2009-01-27 00:29:29 ----A---- C:\WINDOWS\system32\dot3api.dll
2009-01-27 00:29:28 ----A---- C:\WINDOWS\system32\dimsroam.dll
2009-01-27 00:29:28 ----A---- C:\WINDOWS\system32\dimsntfy.dll
2009-01-27 00:29:28 ----A---- C:\WINDOWS\system32\dhcpqec.dll
2009-01-27 00:29:25 ----A---- C:\WINDOWS\system32\credssp.dll
2009-01-27 00:29:22 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2009-01-27 00:29:22 ----A---- C:\WINDOWS\system32\azroles.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ativvaxx.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ativtmxx.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ati3duag.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ati3d1ag.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ati2dvag.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ati2dvaa.dll
2009-01-27 00:29:21 ----A---- C:\WINDOWS\system32\ati2cqag.dll
2009-01-26 22:55:47 ----D---- C:\Program Files\CCleaner
2009-01-26 18:22:36 ----D---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\Opera
2009-01-26 18:22:30 ----D---- C:\Program Files\Opera
2009-01-26 17:07:32 ----D---- C:\Program Files\XoftSpySE
2009-01-26 16:58:33 ----D---- C:\Program Files\Trend Micro
2009-01-26 16:39:22 ----D---- C:\fixwareout
2009-01-26 16:28:35 ----D---- C:\WINDOWS\system32\appmgmt
2009-01-26 15:33:48 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-01-26 15:33:48 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-26 14:00:16 ----D---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\Malwarebytes
2009-01-26 13:59:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-26 13:59:59 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-14 08:26:34 ----HDC---- C:\WINDOWS\$NtUninstallKB958687_0$
2009-01-11 23:02:00 ----D---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\HorizonWimba
2008-12-22 18:01:05 ----D---- C:\Documents and Settings\All Users\Application Data\PopCap
2008-12-22 17:58:24 ----RHD---- C:\$VAULT$.AVG
2008-12-13 03:38:40 ----HDC---- C:\WINDOWS\$NtUninstallKB925876$
2008-12-13 03:38:08 ----A---- C:\WINDOWS\system32\tsgqec.dll
2008-12-13 03:38:08 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2008-12-13 03:38:08 ----A---- C:\WINDOWS\system32\aaclient.dll
2008-12-13 03:37:56 ----HDC---- C:\WINDOWS\$NtUninstallKB904942$
2008-12-13 03:37:07 ----HDC---- C:\WINDOWS\$NtUninstallKB896344$
2008-12-11 03:42:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956802_0$
2008-12-11 03:40:59 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-11 03:40:16 ----HDC---- C:\WINDOWS\$NtUninstallKB954600_0$
2008-12-11 03:39:25 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-11-15 03:52:11 ----HDC---- C:\WINDOWS\$NtUninstallKB957097_0$
2008-11-15 03:51:26 ----HDC---- C:\WINDOWS\$NtUninstallKB955069_0$
2008-11-07 14:52:11 ----D---- C:\WINDOWS\pss

======List of files/folders modified in the last 3 months======

2009-02-05 17:26:58 ----D---- C:\WINDOWS\system32\drivers
2009-02-05 17:26:58 ----D---- C:\WINDOWS\system32
2009-02-05 17:26:57 ----D---- C:\WINDOWS
2009-02-05 17:26:06 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-05 17:23:37 ----A---- C:\WINDOWS\system.ini
2009-02-05 17:21:21 ----D---- C:\WINDOWS\Registration
2009-02-05 17:21:11 ----A---- C:\WINDOWS\ModemLog_Conexant HDA D330 MDC V.92 Modem.txt
2009-02-05 17:19:45 ----D---- C:\WINDOWS\system32\config
2009-02-05 17:19:01 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-02-05 17:17:17 ----D---- C:\WINDOWS\AppPatch
2009-02-05 17:17:17 ----D---- C:\Program Files\Common Files
2009-02-05 17:14:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-05 16:59:45 ----RASH---- C:\boot.ini
2009-02-05 16:52:15 ----D---- C:\WINDOWS\system
2009-02-05 16:52:13 ----D---- C:\Documents and Settings\All Users\Application Data\avg7
2009-02-05 09:34:15 ----D---- C:\WINDOWS\security
2009-02-05 09:20:32 ----HD---- C:\WINDOWS\inf
2009-02-05 01:24:47 ----D---- C:\TeamLogicIT Temp
2009-02-02 11:47:05 ----RD---- C:\Program Files
2009-02-02 11:45:14 ----D---- C:\Temp
2009-02-02 11:19:14 ----SHD---- C:\WINDOWS\CSC
2009-01-27 07:58:38 ----D---- C:\WINDOWS\Debug
2009-01-27 07:54:27 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-27 07:49:48 ----D---- C:\WINDOWS\Microsoft.NET
2009-01-27 07:49:39 ----RSD---- C:\WINDOWS\assembly
2009-01-27 07:45:41 ----SHD---- C:\WINDOWS\Installer
2009-01-27 07:44:44 ----D---- C:\Program Files\Microsoft SQL Server
2009-01-27 07:40:50 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-27 05:40:42 ----D---- C:\WINDOWS\system32\wbem
2009-01-27 05:40:42 ----D---- C:\WINDOWS\system32\Setup
2009-01-27 05:40:41 ----RSD---- C:\WINDOWS\Fonts
2009-01-27 01:02:48 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-27 00:58:28 ----D---- C:\WINDOWS\Help
2009-01-27 00:57:06 ----D---- C:\Program Files\Messenger
2009-01-27 00:51:45 ----D---- C:\WINDOWS\WinSxS
2009-01-27 00:51:37 ----D---- C:\WINDOWS\system32\inetsrv
2009-01-27 00:51:37 ----D---- C:\WINDOWS\network diagnostic
2009-01-27 00:51:37 ----D---- C:\WINDOWS\ime
2009-01-27 00:51:30 ----D---- C:\WINDOWS\system32\usmt
2009-01-27 00:51:30 ----D---- C:\WINDOWS\system32\en-US
2009-01-27 00:51:29 ----D---- C:\WINDOWS\PeerNet
2009-01-27 00:51:29 ----D---- C:\Program Files\Movie Maker
2009-01-27 00:49:20 ----D---- C:\WINDOWS\system32\Restore
2009-01-27 00:49:20 ----D---- C:\WINDOWS\system32\npp
2009-01-27 00:49:20 ----D---- C:\WINDOWS\mui
2009-01-27 00:49:19 ----D---- C:\WINDOWS\msagent
2009-01-27 00:49:18 ----D---- C:\WINDOWS\srchasst
2009-01-27 00:49:18 ----D---- C:\Program Files\NetMeeting
2009-01-27 00:49:17 ----D---- C:\WINDOWS\system32\Com
2009-01-27 00:49:16 ----D---- C:\Program Files\Windows Media Player
2009-01-27 00:49:15 ----D---- C:\Program Files\Windows NT
2009-01-27 00:49:15 ----D---- C:\Program Files\Outlook Express
2009-01-27 00:49:13 ----D---- C:\Program Files\Common Files\System
2009-01-27 00:49:00 ----D---- C:\WINDOWS\system32\oobe
2009-01-27 00:46:46 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-27 00:36:57 ----D---- C:\WINDOWS\ehome
2009-01-26 23:57:59 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-26 23:50:58 ----D---- C:\WINDOWS\SoftwareDistribution
2009-01-26 17:13:39 ----SD---- C:\WINDOWS\Tasks
2009-01-26 16:28:32 ----D---- C:\Program Files\Dell
2009-01-26 15:17:15 ----SD---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\Microsoft
2009-01-23 08:57:33 ----A---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\navinfo.txt
2009-01-21 15:09:45 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-01-20 09:48:28 ----D---- C:\Documents and Settings\Aaron.JMIINSTRUMENT\Application Data\AVG7
2009-01-15 08:06:52 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-09 17:35:30 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-25 12:17:15 ----D---- C:\MDT
2008-12-20 03:37:03 ----D---- C:\WINDOWS\ie7updates
2008-12-13 00:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 03:44:57 ----D---- C:\Program Files\Internet Explorer
2008-11-18 21:23:02 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 APPDRV;APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [2005-08-12 16128]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2006-08-11 12920]
R1 DLARTL_M;DLARTL_M; C:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 BASFND;BASFND; \??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys []
R2 DLABMFSM;DLABMFSM; C:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\WINDOWS\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2006-08-11 51768]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2007-12-02 12672]
R2 WavxDMgr;WavxDMgr; C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys [2007-09-10 161280]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2007-02-17 132608]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-03-12 160256]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-10-09 1123328]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 DXEC01;DXEC01; C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 97536]
R3 guardian2;guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [2007-11-28 62208]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-12-02 989952]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-12-02 211200]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-05-18 5707744]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-12-05 1222840]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WaveFDE;Wave System Power Monitor Device Driver; C:\WINDOWS\system32\DRIVERS\WaveFDE.sys [2007-09-06 18176]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-12-02 731136]
S2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
S2 SSPORT;SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 KaseyaAgent;Kaseya Agent; C:\Program Files\TeamLogic IT\Agent\AgentMon.exe [2008-09-04 610304]
R2 NICCONFIGSVC;NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [2007-05-14 475136]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 STacSV;SigmaTel Audio Service; C:\WINDOWS\system32\StacSV.exe [2007-12-05 94208]
R2 tcsd_win32.exe;NTRU TSS v1.2.1.25 TCS; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [2007-11-08 1552384]
R2 TdmService;TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [2007-09-07 737280]
R2 Wave UCSPlus;Wave UCSPlus; C:\WINDOWS\system32\dllhost.exe [2008-04-13 5120]
R2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-05-12 438272]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-10-09 24064]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 300032]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 KaseyaAVService;Kaseya Security Service; C:\Program Files\TeamLogic IT\Agent\KasAVSrv.exe [2008-07-22 155648]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-05-06 654848]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-08-05 29184016]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-10-22 65536]
S3 SecureStorageService;SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [2007-08-31 486400]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S3 WaveEnrollmentService;WaveEnrollmentService; C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [2007-09-13 192512]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]

-----------------EOF-----------------

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 06 February 2009 - 04:38 PM

Good idea downloading the latest version of AVG.
  • We need to take a look at some suspect files. Open notepad (start -> Run -> type in notepad and press Enter).

    Copy and paste the content of the code box in the notepad.

    @echo off
    for %%g in (
    C:\WINDOWS\system32\clickfile.exe
    C:\WINDOWS\system32\998.exe
    c:\windows\pwmtoodj
    ) do zip Files_for_submission %%g
    del %o
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • You may install, update and run AVG 8 in the following order.
    • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.
  • Please run RSIT, set the list of Files/Folders created to 1 Months and copy/paste the content of log.txt to your reply (this time RSIT creates just one log). Tell me also how is your computer running now.
Please include in your next reply:
  • The log of MBAM.
  • The AVG log.
  • The RSIT log.
  • Any comment or feedback about how it went.


#9 TLIT

TLIT
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 06 February 2009 - 06:57 PM

I ran all scans as requested. Malwarebytes did not find anything. AVG found 6 items. Tested out IE and Google searches and they are no longer redirecting. Also was able to download applications in IE, which was previously not possible. Attached are my logs.

Thank you for all your effort and have a nice weekend.

Attached Files

  • Attached File  log.txt   42.32KB   5 downloads
  • Attached File  MBAM.txt   832bytes   1 downloads
  • Attached File  scan.txt   37.62KB   2 downloads


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 06 February 2009 - 07:08 PM

Thanks for the logs. Could you please do me a favor and upload the zip file as instructed. I'll remove the attached zip file later as son as you give me the sign as it is not safe to have suspicious files attached to the reply. If one of the files are malware related one can get infected by downloading it.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 06 February 2009 - 07:29 PM

No need to upload any more. AVG did the job for us and identified the malware file and removed it. I downloaded the file and removed it from the post. I'm going through the logs once more ans post a reply ASAP.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 06 February 2009 - 07:41 PM

After this heavy infection to make sure we run one more scan. It takes time but it is better to be safe than sorry.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4 
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b099bcb-25a8-11dd-b266-001c234d15d6}]
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 12".
    • Click the "Download" button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download Windows Offline Installation and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java:

      J2SE Runtime Environment 5.0 Update
      Java™ 6 Update 5
      Java™ 6 Update 7
    • Check (highlight) any item with Java or Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • Please run the F-Secure Online Scanner
    Note: This Scanner is for Internet Explorer Only!
    Follow the Instruction here for installation.
    Accept the License Agreement.
    Once the ActiveX installs,Click Full System Scan
    Once the download completes, the scan will begin automatically.
    The scan will take some time to finish, so please be patient.
    When the scan completes, click the Automatic cleaning (recommended) button.
    Click the Show Report button and Copy&Paste the entire report in your next reply.
I'm not very sure about your flash-drive. If you still have it and are not sure about the file I named, we can disinfect it. It will take just a few seconds.

#13 TLIT

TLIT
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 09 February 2009 - 05:42 PM

Ran the regfix as requested.
Java updates as requested.
F-Secure ran, log is below.
The pc has been running good, there was a virus warning, I am attaching a copy of the screen shot. I chose "Heal". This was before these changes and scans.

I also turned off system restore so all past restore points would be deleted, then turned it back on. I didn't want someone to use an old restore point and bring back all the junk you helped us fix.


Scanning Report

Monday, February 09, 2009 11:14:59 - 12:05:57

Computer name: AARONHLAPTOP
Scanning type: Scan system for malware, rootkits
Target: C:\

Result: 8 malware found
TrackingCookie.2o7 (spyware)

System
TrackingCookie.Adinterax (spyware)

System
TrackingCookie.Atdmt (spyware)

System
TrackingCookie.Atwola (spyware)

System
TrackingCookie.Doubleclick (spyware)

System
TrackingCookie.Specificclick (spyware)

System
TrackingCookie.Yieldmanager (spyware)

System
Trojan.Win32.Monderb.ahhp (virus)

C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20090205-163246-353.DLL (Renamed
& Submitted)

Statistics
Scanned:

Files: 39824

System: 3373

Not scanned: 8
Actions:

Disinfected: 0

Renamed: 1

Deleted: 0

None: 7

Submitted: 1
Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\AARON.JMIINSTRUMENT\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\OUTLOOK\OUTLOOK.PST

Options
Scanning engines:

F-Secure USS: 3.0.0

F-Secure Blacklight: 0.0.0

F-Secure Hydra: 3.6.8511, 2009-02-09

F-Secure Pegasus: 1.20.0, 1969-11-31

F-Secure AVP: 7.0.171, 2009-02-09
Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD
DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD
MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD
JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB
LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third
parties that F-Secure World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to any of our servers, for
example by E-mail or via our F-Secure's CGI E-mail, you agree that the material
you make available may be published in the F-Secure World Wide Pages or hard-copy
publications. You will reach F-Secure public web site by clicking on underlined
links. While doing this, your access will be logged to our private access
statistics with your domain name.This information will not be given to any third
party. You agree not to take action against us in relation to material that you
submit. Unless you have clearly stated otherwise, by submitting material you
warrant that F-Secure may incorporate any concepts described in it in the F-Secure
products/publications without liability.

#14 TLIT

TLIT
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 09 February 2009 - 05:49 PM

Sorry, here is the screen shot.

Attached Files



#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:46 AM

Posted 09 February 2009 - 06:14 PM

The virus warning concerned a file in system restore, we would have flash it any way at the end.

F-Secure found nothing but a few tracking cookies and an infected file in Hijackthis backup folder (it was already removed with Hijackthis).

Before we uninstall Combofix and give you some recommendations, just one thing I am still worried about:

I'm not very sure about your flash-drive. If you still have it and are not sure about the file I named, we can disinfect it. It will take just a few seconds.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users