Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Red X in Windows Bar


  • This topic is locked This topic is locked
3 replies to this topic

#1 Aggiemundo

Aggiemundo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 08 March 2009 - 07:39 PM

I seem to have gotten a trojan that has taken over my desktop and left a message in the wallpaper telling me that "Warning: Fatal Error! All media systems on your computer have been crashed". This nasty bug has denied me access to TaskManager (unless I rename the file) and has changed my reg files so that I cannot change my wallpaper or screen resolution.

There is also a red circle with a white X that shows up as an icon in my tray and occassionally lets me know that my codec needs to be updated. It leads to the WinCoDecPro website but I haven't downloaded anything from that site.

I've run HijackThis and will post the results below. I've seen that most of the other solutions require that the user run ComboFix, but I find that that cannot run if Kaspersky is running. Unfortunately the Kaspersky on my computer is password protected from shutoff by my IT department. I can probably get the passcode from them at some point but I was hoping to fix the problem sooner. How bad is it to run ComboFix with Kaspersky still going?

Here are the HijackThis results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:43 PM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Kernel32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Common Files\Freescale\CWUpdater\Updater.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\MediaSystem\wmptray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Agent13\Agent13.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0070119
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/default.as...;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=0070119
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=w8...e7_4ZhSfbmA7SMA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ISASERVER:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Agent13] C:\WINDOWS\Kernel32.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [CWUpdaterService] "C:\Program Files\Common Files\Freescale\CWUpdater\Updater.exe" -servicemode
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [WmpTray] C:\Program Files\MediaSystem\wmptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1B9ACD72-2F79-4AE3-B5C5-42D8C5E17677} (NKKBitmapEditor.BitmapEditor) - http://www.nkksmartswitch.com/designonline...itmapEditor.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.babysites.com/inc/iu/ImageUploader4.cab
O16 - DPF: {CCBD4D3F-7640-4C42-8D26-9BA1450AFA8B} (NKKSendSwitches.UserControl1) - http://www.nkksmartswitch.com/designonline...endSwitches.Cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://futureelectronics.webex.com/client/...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NA.FUTURE.CA
O17 - HKLM\Software\..\Telephony: DomainName = NA.FUTURE.CA
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NA.FUTURE.CA
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NA.FUTURE.CA
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12870 bytes

Thanks so much guys. I'll owe you big if you can help.

Attached Files



BC AdBot (Login to Remove)

 


#2 Aggiemundo

Aggiemundo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 09 March 2009 - 10:57 AM

I had a feeling that I would be asked to run ComboFix, so I know its not something I'm supposed to do until asked by trained staff here but I went ahead and did it. From what I can tell I still have the same issues with the machine. Here is the report that was generated.

Combofix did restart my machine before generating the report and I had to relog in to my Windows account. Also, a number of programs ran at reboot that I could not stop. I hope this didn't conflict with anything Combofix was doing as the documentation says not to run any programs while it runs.


ComboFix 09-03-06.02 - Todd.Baker 2009-03-09 10:16:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.566 [GMT -5:00]
Running from: c:\documents and settings\todd.baker\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\todd.baker\Local Settings\Temporary Internet Files\webex.ini
c:\program files\FunWebProducts
c:\windows\IE4 Error Log.txt
c:\windows\kernel32.exe
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-08 19:28 . 2009-03-08 19:28 <DIR> d-------- c:\program files\Trend Micro
2009-03-08 15:10 . 2009-03-08 15:10 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-03-08 15:07 . 2009-03-08 20:16 <DIR> d-------- c:\program files\Lavasoft
2009-03-08 15:07 . 2009-03-08 20:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-08 02:59 . 2009-03-08 02:59 <DIR> d--hs---- C:\found.001
2009-03-08 02:03 . 2009-03-08 02:03 <DIR> d-------- c:\program files\MediaSystem
2009-03-04 12:52 . 2009-03-04 12:52 <DIR> d-------- c:\program files\Remote Desktop
2009-03-03 20:09 . 2009-03-03 20:09 <DIR> d-------- c:\windows\system32\scripting
2009-03-03 20:08 . 2008-04-14 06:42 135,680 --a------ c:\windows\system32\taskmgr.exe
2009-03-03 20:08 . 2008-04-14 06:42 135,680 --a------ c:\windows\system32\dllcache\taskmgr.exe
2009-03-03 20:03 . 2008-04-14 00:53 1,309,184 --------- c:\windows\system32\drivers\mtlstrm.sys
2009-03-03 20:02 . 2006-12-29 01:31 19,569 --a------ c:\windows\002987_.tmp
2009-02-26 10:10 . 2009-03-09 10:39 69 --a------ c:\windows\pxisys.ini
2009-02-23 18:06 . 2009-02-23 18:06 <DIR> d-------- c:\program files\HI-TECH Software
2009-02-23 12:22 . 2009-02-23 12:22 48,966 --a------ c:\documents and settings\Image7.gif
2009-02-23 12:22 . 2009-02-23 12:22 48,966 --a------ c:\documents and settings\Image6.gif
2009-02-23 12:21 . 2009-02-23 12:21 48,966 --a------ c:\documents and settings\Image5.gif

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-09 15:41 64,112,416 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-09 15:40 2,082,080 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-09 15:39 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-03-09 15:39 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-03-09 15:37 861,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-09 15:37 198,260 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-09 14:46 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-05 19:59 --------- d-----w c:\program files\Cypress
2009-03-04 16:47 25,808 ----a-w c:\documents and settings\todd.baker\Application Data\GDIPFONTCACHEV1.DAT
2009-02-24 17:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 21:34 --------- d-----w c:\documents and settings\todd.baker\Application Data\WebEx
2009-02-17 04:03 --------- d-----w c:\documents and settings\todd.baker\Application Data\U3
2009-02-09 19:21 --------- d-----w c:\program files\Google
2009-02-04 03:56 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-04 03:56 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-01-22 18:44 --------- d-----w c:\documents and settings\todd.baker\Application Data\actel
2009-01-13 18:41 --------- d-----w c:\documents and settings\todd.baker\Application Data\Synplicity
2009-01-13 18:36 --------- d-----w c:\documents and settings\todd.baker\Application Data\hte
2009-01-13 18:14 --------- d-----w c:\documents and settings\todd.baker\Application Data\SynaptiCAD
2009-01-09 03:38 --------- d-----w c:\program files\Common Files\SafeNet Sentinel
2009-01-09 03:32 --------- d-----w c:\program files\Common Files\Actel
2007-04-11 19:30 21,822,168 ----a-w c:\program files\AdbeRdr80_en_US.exe
2007-04-11 19:22 66,672 ----a-w c:\program files\sgc10.exe
2004-08-10 04:30 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2004-03-15 22:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 15:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 15:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"CWUpdaterService"="c:\program files\Common Files\Freescale\CWUpdater\Updater.exe" [2007-08-16 438664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"WmpTray"="c:\program files\MediaSystem\wmptray.exe" [2009-03-08 57344]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-04-03 1474576]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-01-19 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger"=http://wincodecpro.com/purchase.php?id=1017

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AddAgent13.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=AddNetwork.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^todd.baker^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\todd.baker\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Synchronizer]
--a------ 2007-05-11 00:29 738968 c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 20:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-01-19 17:42 169984 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-10-16 21:57 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 06:42 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\niDevMon]
--a------ 2007-02-24 02:34 92960 c:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-01 10:37 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Agent13\\Agent13DaemonService.exe"=
"c:\\Agent13\\Agent13Cmd.exe"=
"c:\\Agent13\\winvnc.exe"=
"c:\\Agent13\\Agent13.exe"=
"c:\\WCP\\Wcpwmain.exe"=
"%systemroot%\\system32\\sessmgr.exe"=
"%systemroot%\\PCHEALTH\\HELPCTR\\Binaries\\helpsvc.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Agent13 TCP 135
"445:TCP"= 445:TCP:Agent13 TCP 445
"137:UDP"= 137:UDP:Agent13 UDP 137
"138:UDP"= 138:UDP:Agent13 UDP 138
"139:TCP"= 139:TCP:Agent13 TCP 139
"62515:UDP"= 62515:UDP:Cisco VPN UDP 62515
"4500:UDP"= 4500:UDP:Cisco VPN UDP 4500
"10000:TCP"= 10000:TCP:Cisco VPN TCP 10000
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-02-15 15136]
R2 DriverX;DriverX;c:\windows\system32\drivers\Driverx.sys [2007-10-26 54112]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [2008-03-17 94608]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2007-02-16 12696]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-02-23 11552]
R2 PEDRV;P&E Microcomputer System PCI Driver.;c:\windows\system32\drivers\pedrv.sys [2000-08-03 23296]
R2 VICHW11;P&E BDM Cable Driver II;c:\windows\system32\drivers\vichw11.sys [1998-10-02 5200]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [2007-02-21 11552]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [2007-02-21 11552]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [2007-02-25 11552]
S2 FP3BLOADER;Actel FlashPro3 Firmware Loader;c:\windows\system32\drivers\fp3bload.sys [2009-01-08 13952]
S2 MCUSBICD2;Microchip MPLAB ICD 2 Firmware Client Driver (ICD2W2K.SYS);c:\windows\system32\drivers\icd2w2k.sys [2004-03-22 12427]
S3 CyUsb;Cypress Generic USB Driver;c:\windows\system32\drivers\CYUSB.sys [2009-01-08 38144]
S3 jlink;J-Link driver;c:\windows\system32\drivers\jlink.sys [2007-07-11 14208]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/09/2005, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-08-21 28672]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]
S3 MQB2SALL;NEC Electronics Starter Kit USB;c:\windows\system32\drivers\MQB2SALL.sys [2007-05-07 16640]
S3 MQB2SVCP_FILTER;NEC Electronics Starter Kit Virtual COM Port;c:\windows\system32\drivers\MQB2SVCP.sys [2007-05-07 30080]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [2007-02-22 11552]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [2007-02-25 11552]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2007-02-23 11552]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2007-02-25 11552]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2007-02-25 11552]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [2007-02-22 11552]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [2007-02-25 11552]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2006-12-18 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2006-12-18 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [2007-02-22 11552]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [2007-02-23 11552]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-02-15 11552]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-02-15 11552]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [2007-02-26 11552]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [2007-02-25 11552]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [2007-02-24 11552]
S3 nismbusk;nismbusk;c:\windows\system32\drivers\nismbusk.sys [2007-02-22 86304]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [2007-02-26 11552]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2007-02-25 11552]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [2007-02-22 11552]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2007-02-23 11552]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [2007-02-23 11552]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2007-02-23 11552]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-02-22 11552]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-02-23 11552]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2007-02-25 11552]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2007-02-25 11552]
S3 nixsrkw;nixsrkw;c:\windows\system32\drivers\nixsrkw.sys [2007-02-25 11552]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-04-19 99200]
S3 PSoCUSB;Cypress PSoC Designer USB Driver;c:\windows\system32\drivers\cypress\mprog1\PSoCUSB.sys [2009-02-23 38144]
S3 usb6xxxk;usb6xxxk;c:\windows\system32\drivers\usb6xxxk.sys [2007-02-25 27936]
S3 ZSTAR;Virtual Serial USB driver for Freescale USB Adapter;c:\windows\system32\drivers\usbser-zstar.sys [2008-04-28 25600]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{347241c0-b752-11dc-9033-00059a3c7800}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df43929e-3786-11dd-b70d-00059a3c7800}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0255966-6233-11dd-b0b2-005056c00008}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Agent13 - c:\windows\Kernel32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=w8w8luf-YCZFe7_4ZhSfbmA7SMA
uInternet Settings,ProxyServer = ISASERVER:8080
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {1B9ACD72-2F79-4AE3-B5C5-42D8C5E17677} - hxxp://www.nkksmartswitch.com/designonline/NKKBitmapEditor.CAB
DPF: {CCBD4D3F-7640-4C42-8D26-9BA1450AFA8B} - hxxp://www.nkksmartswitch.com/designonline/NKKSendSwitches.Cab
FF - ProfilePath - c:\documents and settings\todd.baker\Application Data\Mozilla\Firefox\Profiles\ltnfvlz7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 10:40:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1444)
c:\windows\system32\CSGina.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1500)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\program files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
.
**************************************************************************
.
Completion time: 2009-03-09 10:50:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-09 15:50:43

Pre-Run: 1,147,494,400 bytes free
Post-Run: 4,950,220,800 bytes free

294 --- E O F --- 2009-03-09 08:01:23

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:59 AM

Posted 20 March 2009 - 04:58 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:59 AM

Posted 25 March 2009 - 07:47 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users