Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trjon Vundo


  • This topic is locked This topic is locked
12 replies to this topic

#1 bmyronstyle

bmyronstyle

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 25 March 2009 - 05:56 PM

To whom it may concern,

My computer has been infected with possibly two different Trojans. Windows Defender reports the presence of Trojan:Win32/Vundo.gen!AN[/b] and also Trojan:Win32/Vundo.BR (though I haven't seen the later Trojan reported recently). I am fairly sure my computer was infected by a p2p file sharing program, where something was downloaded without my knowledge on my PC by a friend. These Trojans have been on my computer for approximately 3-4 weeks, and I haven't had the time to actively research how to take care of this problem. This I'm sure has made things worse.

I read the HJT tutorial on what to download and how to post. After downloading the DDS file as instructed and saving to the desktop, I attempted to run the program. When I tried to run it however, I received the following error message:

(Window labeled "16 bit MS-DOS Subsystem)
C:\WINDOWS\system32\cmd.com
C:\PROGRA~1\Symantec\S32EVNT1.DLL. An installable Virtual Device Driver failed Dll initialization. Choose 'Close' to terminate the application.

Since then I received a reply to my post from garmanma instructing me to download RSIT by random/random along with the instructions on running the program and properly saving the results. Garmanma also mentioned to just copy and paste the results to this post, so I haven't attached the file. After running, the program gave these results:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Bryan at 2009-03-25 18:46:09
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 174 GB (73%) free of 238 GB
Total RAM: 1023 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:10 PM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Bryan\Desktop\dds.scr
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Bryan\Desktop\RSIT.exe
C:\Program Files\trend micro\Bryan.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll (file missing)
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Fposaben] rundll32.exe "C:\WINDOWS\Rgewu.dll",e
O4 - HKLM\..\Run: [Qkofukaqib] rundll32.exe "C:\WINDOWS\osisawegumesa.dll",e
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [A00F2482B9B.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F2482B9B.exe
O4 - HKCU\..\Run: [A00F76ED166.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F76ED166.exe
O4 - HKCU\..\Run: [A00F8CF31D5.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F8CF31D5.exe
O4 - HKCU\..\Run: [A00F6D227A.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F6D227A.exe
O4 - HKCU\..\Run: [A00F85E976B.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F85E976B.exe
O4 - HKCU\..\Run: [A00F146BECD0.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F146BECD0.exe
O4 - HKCU\..\Run: [A00F19E2BC65.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F19E2BC65.exe
O4 - HKCU\..\Run: [A00F1F25E4D5.exe] C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F1F25E4D5.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096307220389
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram11c.vcu.edu/dwa7W.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\cic32.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O20 - Winlogon Notify: b412e637530 - C:\WINDOWS\System32\cic32.dll
O20 - Winlogon Notify: __c0015E60 - C:\WINDOWS\system32\__c0015E60.dat (file missing)
O20 - Winlogon Notify: __c002E709 - C:\WINDOWS\system32\__c002E709.dat (file missing)
O20 - Winlogon Notify: __c00526D7 - C:\WINDOWS\system32\__c00526D7.dat (file missing)
O20 - Winlogon Notify: __c006C490 - C:\WINDOWS\system32\__c006C490.dat (file missing)
O20 - Winlogon Notify: __c0073B85 - C:\WINDOWS\system32\__c0073B85.dat
O20 - Winlogon Notify: __c00964E8 - C:\WINDOWS\system32\__c00964E8.dat (file missing)
O20 - Winlogon Notify: __c00A1A10 - C:\WINDOWS\system32\__c00A1A10.dat (file missing)
O20 - Winlogon Notify: __c00A4FF8 - C:\WINDOWS\system32\__c00A4FF8.dat (file missing)
O20 - Winlogon Notify: __c00ADEC4 - C:\WINDOWS\system32\__c00ADEC4.dat (file missing)
O20 - Winlogon Notify: __c00BD7F1 - C:\WINDOWS\system32\__c00BD7F1.dat (file missing)
O20 - Winlogon Notify: __c00D8CB9 - C:\WINDOWS\system32\__c00D8CB9.dat (file missing)
O20 - Winlogon Notify: __c00EDFB8 - C:\WINDOWS\system32\__c00EDFB8.dat (file missing)
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 12524 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}]
Zango - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D80C4E21-C346-4E21-8E64-20746AA20AEB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2004-09-30 163840]
{5AA06644-BC46-4220-A460-47A6EB47C96D}
{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - Zango - C:\Program Files\Zango\bin\10.3.37.0\HostIE.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-03-27 53248]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-11-30 344064]
"NeroCheck"=C:\WINDOWS\System32\\NeroCheck.exe [2001-07-09 155648]
""= []
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2006-11-10 275968]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-03-30 180269]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
"lxddmon.exe"=C:\Program Files\Lexmark 2500 Series\lxddmon.exe [2007-06-11 291760]
"lxddamon"=C:\Program Files\Lexmark 2500 Series\lxddamon.exe [2007-04-30 20480]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2007-06-11 312240]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /install []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.0\masqform.exe [2003-12-03 1052672]
"Fposaben"=C:\WINDOWS\Rgewu.dll [2009-03-21 43520]
"Qkofukaqib"=C:\WINDOWS\osisawegumesa.dll [2009-02-22 134144]
"gcasServ"=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [2005-07-12 473928]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe []
"AIM"=C:\PROGRA~1\AIM\aim.exe [2006-08-01 67112]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe [2004-09-09 1597440]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 389120]
"A00F2482B9B.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F2482B9B.exe [2009-03-16 45568]
"A00F76ED166.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F76ED166.exe [2009-03-17 45568]
"A00F8CF31D5.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F8CF31D5.exe [2009-03-17 45568]
"A00F6D227A.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F6D227A.exe [2009-03-19 45568]
"A00F85E976B.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F85E976B.exe [2009-03-21 45568]
"A00F146BECD0.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F146BECD0.exe [2009-03-23 45568]
"A00F19E2BC65.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F19E2BC65.exe [2009-03-24 45568]
"A00F1F25E4D5.exe"=C:\DOCUME~1\Bryan\LOCALS~1\Temp\_A00F1F25E4D5.exe [2009-03-25 45568]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\System32\cic32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2007-01-30 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2007-01-30 260096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b412e637530]
C:\WINDOWS\System32\cic32.dll [2009-02-22 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0015E60]
C:\WINDOWS\system32\__c0015E60.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c002E709]
C:\WINDOWS\system32\__c002E709.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00526D7]
C:\WINDOWS\system32\__c00526D7.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006C490]
C:\WINDOWS\system32\__c006C490.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0073B85]
C:\WINDOWS\system32\__c0073B85.dat [2009-03-19 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00964E8]
C:\WINDOWS\system32\__c00964E8.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A1A10]
C:\WINDOWS\system32\__c00A1A10.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00A4FF8]
C:\WINDOWS\system32\__c00A4FF8.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00ADEC4]
C:\WINDOWS\system32\__c00ADEC4.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00BD7F1]
C:\WINDOWS\system32\__c00BD7F1.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00D8CB9]
C:\WINDOWS\system32\__c00D8CB9.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00EDFB8]
C:\WINDOWS\system32\__c00EDFB8.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=C:\Program Files\Microsoft AntiSpyware\shellextension.dll [2005-06-24 101080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\Program Files\Ares\Ares.exe"="C:\Program Files\Ares\Ares.exe:*:Enabled:Ares"
"C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe"="C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\WINDOWS\system32\lxddcoms.exe"="C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 2500 Series\App4R.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"c:\progra~1\mozill~1\firefox.exe"="c:\progra~1\mozill~1\firefox.exe:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled: "
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Lexmark 2500 Series\app4r.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-25 18:31:37 ----D---- C:\rsit
2009-03-25 18:31:37 ----D---- C:\Program Files\trend micro
2009-03-25 12:21:56 ----A---- C:\WINDOWS\system32\B7.tmp
2009-03-21 02:13:44 ----A---- C:\WINDOWS\system32\58.tmp
2009-03-18 22:14:15 ----A---- C:\WINDOWS\system32\12D.tmp
2009-03-18 22:14:14 ----A---- C:\WINDOWS\system32\12C.tmp
2009-03-17 17:05:39 ----A---- C:\WINDOWS\system32\119.tmp
2009-03-16 21:05:38 ----A---- C:\WINDOWS\system32\28.tmp
2009-03-15 21:46:25 ----A---- C:\WINDOWS\system32\36.tmp
2009-03-15 21:46:23 ----A---- C:\WINDOWS\system32\35.tmp
2009-03-14 03:02:01 ----D---- C:\WINDOWS\system32\MpEngineStore
2009-03-14 03:02:01 ----A---- C:\WINDOWS\system32\MRT.INI
2009-03-12 22:24:33 ----A---- C:\WINDOWS\system32\30.tmp
2009-03-12 22:24:33 ----A---- C:\WINDOWS\system32\2F.tmp
2009-03-11 17:56:10 ----SHD---- C:\WINDOWS\system32\NetworkService32
2009-03-11 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-10 17:49:33 ----ASH---- C:\WINDOWS\system32\11.tmp
2009-03-10 17:49:09 ----ASH---- C:\WINDOWS\system32\F.tmp
2009-03-06 20:30:51 ----A---- C:\WINDOWS\system32\C0.tmp
2009-03-06 20:30:49 ----A---- C:\WINDOWS\system32\BF.tmp
2009-03-05 19:31:35 ----SHD---- C:\WINDOWS\system32\LocalService32
2009-03-05 17:42:01 ----A---- C:\WINDOWS\system32\91.tmp
2009-03-03 23:57:29 ----A---- C:\WINDOWS\system32\18.tmp
2009-02-28 23:23:55 ----A---- C:\WINDOWS\system32\1D.tmp
2009-02-28 23:23:54 ----A---- C:\WINDOWS\system32\1C.tmp
2009-02-27 14:35:11 ----ASH---- C:\WINDOWS\system32\E.tmp
2009-02-27 14:34:48 ----ASH---- C:\WINDOWS\system32\B.tmp
2009-02-27 09:38:51 ----A---- C:\WINDOWS\system32\D.tmp
2009-02-27 09:38:51 ----A---- C:\WINDOWS\system32\C.tmp
2009-02-26 12:17:58 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-26 12:17:04 ----A---- C:\WINDOWS\system32\52.tmp
2009-02-26 12:16:48 ----A---- C:\WINDOWS\system32\51.tmp

======List of files/folders modified in the last 1 months======

2010-01-04 13:19:48 ----A---- C:\StubInstaller.exe
2010-01-04 12:56:26 ----A---- C:\WINDOWS\ODBC.INI
2010-01-03 19:24:41 ----SHD---- C:\System Volume Information
2010-01-03 19:24:41 ----D---- C:\WINDOWS\system32\Restore
2009-03-25 18:46:00 ----D---- C:\WINDOWS\Prefetch
2009-03-25 18:31:41 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-03-25 18:31:37 ----RD---- C:\Program Files
2009-03-25 18:30:18 ----D---- C:\Program Files\Lx_cats
2009-03-25 18:30:02 ----D---- C:\WINDOWS\Temp
2009-03-25 18:01:28 ----D---- C:\Program Files\Mozilla Firefox
2009-03-25 12:23:47 ----SHD---- C:\WINDOWS\system32
2009-03-23 01:46:23 ----D---- C:\WINDOWS\system32\drivers
2009-03-21 02:14:20 ----A---- C:\WINDOWS\Rgewu.dll
2009-03-20 11:21:48 ----D---- C:\Documents and Settings\Bryan\Application Data\WeatherBug
2009-03-19 11:18:23 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-19 11:18:20 ----SD---- C:\WINDOWS\Tasks
2009-03-19 11:15:02 ----D---- C:\WINDOWS\Minidump
2009-03-19 11:15:02 ----D---- C:\WINDOWS
2009-03-18 04:12:51 ----A---- C:\WINDOWS\GnuHashes.ini
2009-03-16 01:04:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-11 03:01:16 ----HD---- C:\WINDOWS\inf
2009-03-11 03:01:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-11 03:01:10 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 23:11:49 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-10 19:56:50 ----D---- C:\Documents and Settings
2009-03-10 17:49:06 ----SHD---- C:\WINDOWS\Installer
2009-03-10 17:49:03 ----A---- C:\WINDOWS\OEWABLog.txt
2009-03-08 22:14:57 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 Winflash;Winflash; C:\WINDOWS\system32\drivers\Winflash.sys [2001-11-30 3538]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-08 19915]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-01 719052]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys [2005-04-21 242176]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2003-10-23 253672]
S1 aqxeodca;aqxeodca; \??\C:\WINDOWS\system32\drivers\aqxeodca.sys []
S1 hxiauzhc;hxiauzhc; \??\C:\WINDOWS\system32\drivers\hxiauzhc.sys []
S1 kdinqync;kdinqync; \??\C:\WINDOWS\system32\drivers\kdinqync.sys []
S1 lkuylcoo;lkuylcoo; \??\C:\WINDOWS\system32\drivers\lkuylcoo.sys []
S1 mtgletcp;mtgletcp; \??\C:\WINDOWS\system32\drivers\mtgletcp.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS []
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2006-12-05 29184]
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2003-11-08 12953]
S3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-11-07 51486]
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\System32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
S3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SCR131C;SCRx31 Serial Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 64088]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acachsrv;ActivClient Authentication Service; C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service; C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 lxdd_device;lxdd_device; C:\WINDOWS\system32\lxddcoms.exe [2007-05-25 537520]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R2 Movielink Core Service;Movielink Core Service; C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE [2006-05-26 1115744]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-11-30 516096]
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 25 March 2009 - 07:31 PM

Hello bmyronstyle,

Posted Image

Could you please post the URL of the thread you were working with garmanma? :thumbup2:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 bmyronstyle

bmyronstyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 March 2009 - 10:41 AM

Teacup61,

As requested, here is the post from garmanma:


If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.

* Close all applications and windows so that you have nothing open and are at your Desktop.
* Double-click on RSIT.exe to start the program.
* If using Windows Vista, be sure to Run As Administrator.
* Click Continue after reading the disclaimer screen.
* Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
* When the scan is complete, a text file named log.txt will automatically open in Notepad.
* Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.

Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.


--------------------
Mark

I ran the combofix program, and here is the report it gave:

ComboFix 09-03-26.03 - Bryan 2009-03-27 11:25:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.555 [GMT -4:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\Bryan\Application Data\020000000322f95d530C.manifest
c:\documents and settings\Bryan\Application Data\020000000322f95d530O.manifest
c:\documents and settings\Bryan\Application Data\020000000322f95d530P.manifest
c:\documents and settings\Bryan\Application Data\020000000322f95d530S.manifest
c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\program files\msmovies
c:\program files\msmovies\p.zip
c:\windows\GnuHashes.ini
c:\windows\system32\__c0017E10.dat
c:\windows\system32\__c001BE91.dat
c:\windows\system32\__c0035439.dat
c:\windows\system32\__c003B7AD.dat
c:\windows\system32\__c0047A0B.dat
c:\windows\system32\__c004A3F8.dat
c:\windows\system32\__c006529E.dat
c:\windows\system32\__c00717DB.dat
c:\windows\system32\__c0073B85.dat
c:\windows\system32\__c00773D0.dat
c:\windows\system32\__c00874DA.dat
c:\windows\system32\__c008A321.dat
c:\windows\system32\__c008BEDE.dat
c:\windows\system32\__c008D9B3.dat
c:\windows\system32\__c008E164.dat
c:\windows\system32\__c0093081.dat
c:\windows\system32\__c0093E16.dat
c:\windows\system32\__c0096890.dat
c:\windows\system32\__c00BF58.dat
c:\windows\system32\__c00CAF43.dat
c:\windows\system32\__c00CCD5.dat
c:\windows\system32\__c00D15BE.dat
c:\windows\system32\__c00D19C4.dat
c:\windows\system32\__c00D2E1B.dat
c:\windows\system32\__c00DFE0F.dat
c:\windows\system32\__c00E7D79.dat
c:\windows\system32\__c00EFE4.dat
c:\windows\system32\__c00F44E.dat
c:\windows\system32\__c00FDB14.dat
c:\windows\system32\__c00FEF98.dat
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\B.tmp
c:\windows\system32\bszip.dll
c:\windows\system32\cmd.com
c:\windows\system32\crosof~1.net
c:\windows\system32\E.tmp
c:\windows\system32\F.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\msvcmm32.exe
c:\windows\system32\netstat.com
c:\windows\system32\nScan
c:\windows\system32\nScan\ecls.exe
c:\windows\system32\nScan\ekrn.exe
c:\windows\system32\nScan\ekrnAmon.dll
c:\windows\system32\nScan\ekrnEmon.dll
c:\windows\system32\nScan\ekrnEpfw.dll
c:\windows\system32\nScan\ekrnScan.dll
c:\windows\system32\nScan\em000_32.dat
c:\windows\system32\nScan\em001_32.dat
c:\windows\system32\nScan\em002_32.dat
c:\windows\system32\nScan\em003_32.dat
c:\windows\system32\nScan\em004_32.dat
c:\windows\system32\nScan\em005_32.dat
c:\windows\system32\nScan\em006_32.dat
c:\windows\system32\nScan\mod_comp.dat
c:\windows\system32\ping.com
c:\windows\system32\regedit.com
c:\windows\system32\taskkill.com
c:\windows\system32\tasklist.com
c:\windows\system32\tmp.reg
c:\windows\system32\tracert.com
c:\windows\system32\zip32.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-26 09:51 . 2009-03-26 09:51 0 --a------ c:\windows\system32\134.tmp
2009-03-25 18:31 . 2009-03-25 18:47 <DIR> d-------- C:\rsit
2009-03-25 18:31 . 2009-03-25 18:46 <DIR> d-------- c:\program files\trend micro
2009-03-21 02:13 . 2009-03-21 02:13 0 --a------ c:\windows\system32\58.tmp
2009-03-18 22:14 . 2009-03-18 22:14 0 --a------ c:\windows\system32\12D.tmp
2009-03-18 22:14 . 2009-03-18 22:14 0 --a------ c:\windows\system32\12C.tmp
2009-03-17 17:05 . 2009-03-17 17:05 0 --a------ c:\windows\system32\119.tmp
2009-03-16 21:05 . 2009-03-16 21:05 0 --a------ c:\windows\system32\28.tmp
2009-03-15 21:46 . 2009-03-15 21:46 0 --a------ c:\windows\system32\36.tmp
2009-03-15 21:46 . 2009-03-15 21:46 0 --a------ c:\windows\system32\35.tmp
2009-03-14 03:02 . 2009-03-14 03:02 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-14 03:02 . 2009-03-14 03:02 206 --a------ c:\windows\system32\MRT.INI
2009-03-12 22:24 . 2009-03-12 22:24 0 --a------ c:\windows\system32\30.tmp
2009-03-12 22:24 . 2009-03-12 22:24 0 --a------ c:\windows\system32\2F.tmp
2009-03-11 17:56 . 2009-03-18 04:05 <DIR> d--hs---- c:\windows\system32\NetworkService32
2009-03-10 17:49 . 2009-03-10 17:49 374,272 --ahs---- c:\windows\system32\11.tmp
2009-03-06 20:30 . 2009-03-06 20:30 0 --a------ c:\windows\system32\C0.tmp
2009-03-06 20:30 . 2009-03-06 20:30 0 --a------ c:\windows\system32\BF.tmp
2009-03-05 19:31 . 2009-03-11 17:56 <DIR> d--hs---- c:\windows\system32\LocalService32
2009-03-05 17:42 . 2009-03-05 17:42 0 --a------ c:\windows\system32\91.tmp
2009-03-03 23:57 . 2009-03-03 23:57 0 --a------ c:\windows\system32\18.tmp
2009-02-28 23:23 . 2009-02-28 23:23 0 --a------ c:\windows\system32\1D.tmp
2009-02-28 23:23 . 2009-02-28 23:23 0 --a------ c:\windows\system32\1C.tmp
2009-02-27 09:38 . 2009-02-27 09:38 0 --a------ c:\windows\system32\D.tmp
2009-02-27 09:38 . 2009-02-27 09:38 0 --a------ c:\windows\system32\C.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 17:19 700,416 ----a-w C:\StubInstaller.exe
2009-03-27 15:29 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-27 15:15 --------- d-----w c:\program files\Lx_cats
2009-03-21 06:14 43,520 ----a-w c:\windows\Rgewu.dll
2009-03-20 15:21 --------- d-----w c:\documents and settings\Bryan\Application Data\WeatherBug
2009-02-23 15:16 --------- d-----w c:\program files\XoftSpySE
2009-02-23 00:09 134,144 ----a-w c:\windows\osisawegumesa.dll
2009-02-15 07:00 --------- d-----w c:\program files\LimeWire
2009-02-12 22:17 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-12 22:16 --------- d-----w c:\documents and settings\Bryan\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-12 20:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-12 20:31 --------- d-----w c:\program files\PureEdge
2009-02-12 20:31 --------- d-----w c:\documents and settings\Bryan\Application Data\PureEdge
2009-02-12 20:31 --------- d-----w c:\documents and settings\All Users\Application Data\PureEdge
2005-02-08 16:56 442 ----a-w c:\program files\Shortcut to AIM.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\progra~1\AIM\aim.exe" [2006-08-01 67112]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 275968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-30 180269]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"Fposaben"="c:\windows\Rgewu.dll" [2009-03-21 43520]
"Qkofukaqib"="c:\windows\osisawegumesa.dll" [2009-02-22 134144]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 473928]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 77312]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-09-27 114688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-19 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-01-30 08:57 101888 c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-01-30 14:57 260096 c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\b412e637530]
2009-02-22 05:10 135168 c:\windows\system32\cic32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\cic32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA Games\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\progra~1\\mozill~1\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddwbgw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11484:TCP"= 11484:TCP:BND

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [2003-07-02 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [2003-07-02 124160]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service;c:\program files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-03-19 99248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 aqxeodca;aqxeodca;\??\c:\windows\system32\drivers\aqxeodca.sys --> c:\windows\system32\drivers\aqxeodca.sys [?]
S1 hxiauzhc;hxiauzhc;\??\c:\windows\system32\drivers\hxiauzhc.sys --> c:\windows\system32\drivers\hxiauzhc.sys [?]
S1 kdinqync;kdinqync;\??\c:\windows\system32\drivers\kdinqync.sys --> c:\windows\system32\drivers\kdinqync.sys [?]
S1 lkuylcoo;lkuylcoo;\??\c:\windows\system32\drivers\lkuylcoo.sys --> c:\windows\system32\drivers\lkuylcoo.sys [?]
S1 mtgletcp;mtgletcp;\??\c:\windows\system32\drivers\mtgletcp.sys --> c:\windows\system32\drivers\mtgletcp.sys [?]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [2004-09-29 14092]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-04-06 64088]
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
Notify-__c0015E60 - c:\windows\system32\__c0015E60.dat
Notify-__c002E709 - c:\windows\system32\__c002E709.dat
Notify-__c00526D7 - c:\windows\system32\__c00526D7.dat
Notify-__c006C490 - c:\windows\system32\__c006C490.dat
Notify-__c0073B85 - c:\windows\system32\__c0073B85.dat
Notify-__c00964E8 - c:\windows\system32\__c00964E8.dat
Notify-__c00A1A10 - c:\windows\system32\__c00A1A10.dat
Notify-__c00A4FF8 - c:\windows\system32\__c00A4FF8.dat
Notify-__c00ADEC4 - c:\windows\system32\__c00ADEC4.dat
Notify-__c00BD7F1 - c:\windows\system32\__c00BD7F1.dat
Notify-__c00D8CB9 - c:\windows\system32\__c00D8CB9.dat
Notify-__c00EDFB8 - c:\windows\system32\__c00EDFB8.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\8i5hi0bc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\8i5hi0bc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 11:30:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\cic32.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\scardsvr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Real\RealPlayer\realplay.exe
.
**************************************************************************
.
Completion time: 2009-03-27 11:34:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-27 15:34:19

Pre-Run: 182,300,401,664 bytes free
Post-Run: 185,752,514,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

310 --- E O F --- 2009-03-26 13:59:52

Lastly, here is the new HJT log, run on RSIT:


Logfile of random's system information tool 1.06 (written by random/random)
Run by Bryan at 2009-03-27 11:35:07
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 177 GB (74%) free of 238 GB
Total RAM: 1023 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:09 AM, on 3/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bryan\Desktop\RSIT.exe
C:\Program Files\trend micro\Bryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Fposaben] rundll32.exe "C:\WINDOWS\Rgewu.dll",e
O4 - HKLM\..\Run: [Qkofukaqib] rundll32.exe "C:\WINDOWS\osisawegumesa.dll",e
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096307220389
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram11c.vcu.edu/dwa7W.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\cic32.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O20 - Winlogon Notify: b412e637530 - C:\WINDOWS\System32\cic32.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 10149 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2004-09-30 163840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-03-27 53248]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-11-30 344064]
"NeroCheck"=C:\WINDOWS\System32\\NeroCheck.exe [2001-07-09 155648]
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2006-11-10 275968]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-03-30 180269]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
"lxddmon.exe"=C:\Program Files\Lexmark 2500 Series\lxddmon.exe [2007-06-11 291760]
"lxddamon"=C:\Program Files\Lexmark 2500 Series\lxddamon.exe [2007-04-30 20480]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2007-06-11 312240]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /install []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.0\masqform.exe [2003-12-03 1052672]
"Fposaben"=C:\WINDOWS\Rgewu.dll [2009-03-21 43520]
"Qkofukaqib"=C:\WINDOWS\osisawegumesa.dll [2009-02-22 134144]
"gcasServ"=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [2005-07-12 473928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"=C:\PROGRA~1\AIM\aim.exe [2006-08-01 67112]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe [2004-09-09 1597440]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 389120]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\System32\cic32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2007-01-30 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2007-01-30 260096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b412e637530]
C:\WINDOWS\System32\cic32.dll [2009-02-22 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=C:\Program Files\Microsoft AntiSpyware\shellextension.dll [2005-06-24 101080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe"="C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\WINDOWS\system32\lxddcoms.exe"="C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 2500 Series\App4R.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"c:\progra~1\mozill~1\firefox.exe"="c:\progra~1\mozill~1\firefox.exe:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled: "
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Lexmark 2500 Series\app4r.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-27 11:34:23 ----D---- C:\WINDOWS\temp
2009-03-27 11:34:22 ----A---- C:\ComboFix.txt
2009-03-27 11:25:10 ----A---- C:\Boot.bak
2009-03-27 11:25:05 ----RASHD---- C:\cmdcons
2009-03-27 11:18:58 ----A---- C:\WINDOWS\zip.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\VFIND.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWSC.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWREG.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\sed.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\grep.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\fdsv.exe
2009-03-27 11:18:49 ----D---- C:\WINDOWS\ERDNT
2009-03-27 11:18:47 ----D---- C:\Qoobox
2009-03-26 09:51:18 ----A---- C:\WINDOWS\system32\134.tmp
2009-03-25 18:31:37 ----D---- C:\rsit
2009-03-25 18:31:37 ----D---- C:\Program Files\trend micro
2009-03-21 02:13:44 ----A---- C:\WINDOWS\system32\58.tmp
2009-03-18 22:14:15 ----A---- C:\WINDOWS\system32\12D.tmp
2009-03-18 22:14:14 ----A---- C:\WINDOWS\system32\12C.tmp
2009-03-17 17:05:39 ----A---- C:\WINDOWS\system32\119.tmp
2009-03-16 21:05:38 ----A---- C:\WINDOWS\system32\28.tmp
2009-03-15 21:46:25 ----A---- C:\WINDOWS\system32\36.tmp
2009-03-15 21:46:23 ----A---- C:\WINDOWS\system32\35.tmp
2009-03-14 03:02:01 ----D---- C:\WINDOWS\system32\MpEngineStore
2009-03-14 03:02:01 ----A---- C:\WINDOWS\system32\MRT.INI
2009-03-12 22:24:33 ----A---- C:\WINDOWS\system32\30.tmp
2009-03-12 22:24:33 ----A---- C:\WINDOWS\system32\2F.tmp
2009-03-11 17:56:10 ----SHD---- C:\WINDOWS\system32\NetworkService32
2009-03-11 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-10 17:49:33 ----ASH---- C:\WINDOWS\system32\11.tmp
2009-03-06 20:30:51 ----A---- C:\WINDOWS\system32\C0.tmp
2009-03-06 20:30:49 ----A---- C:\WINDOWS\system32\BF.tmp
2009-03-05 19:31:35 ----SHD---- C:\WINDOWS\system32\LocalService32
2009-03-05 17:42:01 ----A---- C:\WINDOWS\system32\91.tmp
2009-03-03 23:57:29 ----A---- C:\WINDOWS\system32\18.tmp
2009-02-28 23:23:55 ----A---- C:\WINDOWS\system32\1D.tmp
2009-02-28 23:23:54 ----A---- C:\WINDOWS\system32\1C.tmp

======List of files/folders modified in the last 1 months======

2010-01-04 13:19:48 ----A---- C:\StubInstaller.exe
2010-01-04 12:56:26 ----A---- C:\WINDOWS\ODBC.INI
2010-01-03 19:24:41 ----SHD---- C:\System Volume Information
2010-01-03 19:24:41 ----D---- C:\WINDOWS\system32\Restore
2009-03-27 11:34:27 ----SHD---- C:\WINDOWS\system32
2009-03-27 11:34:27 ----D---- C:\WINDOWS\system32\drivers
2009-03-27 11:34:27 ----D---- C:\WINDOWS\Prefetch
2009-03-27 11:34:23 ----D---- C:\WINDOWS
2009-03-27 11:33:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-27 11:33:23 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-27 11:32:22 ----SD---- C:\WINDOWS\Tasks
2009-03-27 11:30:59 ----A---- C:\WINDOWS\system.ini
2009-03-27 11:29:41 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-03-27 11:27:01 ----D---- C:\WINDOWS\AppPatch
2009-03-27 11:26:59 ----D---- C:\Program Files\Common Files
2009-03-27 11:26:07 ----RD---- C:\Program Files
2009-03-27 11:25:10 ----RASH---- C:\boot.ini
2009-03-27 11:22:22 ----D---- C:\WINDOWS\network diagnostic
2009-03-27 11:19:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-27 11:15:44 ----D---- C:\Program Files\Lx_cats
2009-03-25 21:26:25 ----D---- C:\Program Files\Mozilla Firefox
2009-03-21 02:14:20 ----A---- C:\WINDOWS\Rgewu.dll
2009-03-20 11:21:48 ----D---- C:\Documents and Settings\Bryan\Application Data\WeatherBug
2009-03-19 11:15:02 ----D---- C:\WINDOWS\Minidump
2009-03-11 03:01:16 ----HD---- C:\WINDOWS\inf
2009-03-11 03:01:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-11 03:01:10 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 23:11:49 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-10 19:56:50 ----D---- C:\Documents and Settings
2009-03-10 17:49:06 ----SHD---- C:\WINDOWS\Installer
2009-03-10 17:49:03 ----A---- C:\WINDOWS\OEWABLog.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 Winflash;Winflash; C:\WINDOWS\system32\drivers\Winflash.sys [2001-11-30 3538]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-08 19915]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-01 719052]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys [2005-04-21 242176]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2003-10-23 253672]
R4 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S1 aqxeodca;aqxeodca; \??\C:\WINDOWS\system32\drivers\aqxeodca.sys []
S1 hxiauzhc;hxiauzhc; \??\C:\WINDOWS\system32\drivers\hxiauzhc.sys []
S1 kdinqync;kdinqync; \??\C:\WINDOWS\system32\drivers\kdinqync.sys []
S1 lkuylcoo;lkuylcoo; \??\C:\WINDOWS\system32\drivers\lkuylcoo.sys []
S1 mtgletcp;mtgletcp; \??\C:\WINDOWS\system32\drivers\mtgletcp.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS []
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2006-12-05 29184]
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2003-11-08 12953]
S3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-11-07 51486]
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\System32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
S3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SCR131C;SCRx31 Serial Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 64088]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acachsrv;ActivClient Authentication Service; C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service; C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 lxdd_device;lxdd_device; C:\WINDOWS\system32\lxddcoms.exe [2007-05-25 537520]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R2 Movielink Core Service;Movielink Core Service; C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE [2006-05-26 1115744]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-11-30 516096]
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Thank you so much for your help, you guys are lifesavers.

Sincerely,
bmyronstyle

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 28 March 2009 - 05:36 AM

Hello,

You're welcome. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

File::
c:\windows\system32\134.tmp
c:\windows\system32\58.tmp
c:\windows\system32\12D.tmp
c:\windows\system32\12C.tmp
c:\windows\system32\119.tmp
c:\windows\system32\28.tmp
c:\windows\system32\36.tmp
c:\windows\system32\35.tmp
c:\windows\system32\30.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\11.tmp
c:\windows\system32\C0.tmp
c:\windows\system32\BF.tmp
c:\windows\system32\91.tmp
c:\windows\system32\18.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\D.tmp
c:\windows\system32\C.tmp
c:\windows\osisawegumesa.dll
c:\windows\Rgewu.dll
c:\windows\system32\cic32.dll
c:\windows\system32\drivers\aqxeodca.sys
c:\windows\system32\drivers\hxiauzhc.sys
c:\windows\system32\drivers\kdinqync.sys
c:\windows\system32\drivers\lkuylcoo.sys
c:\windows\system32\drivers\mtgletcp.sys

Driver::
aqxeodca
hxiauzhc
kdinqync
lkuylcoo
mtgletcp

Folder::
c:\windows\system32\NetworkService32
c:\windows\system32\LocalService32

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\b412e637530]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 bmyronstyle

bmyronstyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 30 March 2009 - 02:50 PM

teacup61,

Did as instructed. When I dragged the CFScript into Combofix, as it was running the following error message window appeared:

SWREG.cfexe-Bad Image

The application or DLL C:\WINDOS\System32\cic32.dll is not a valid Windows image. Please check this against your installation diskette.

Also, after the Reboot I got another error message with a window labeled RUNDLL that had said error loading DLL c:\windows\osisawegumesa.dll, or something like that, it had closed before I could write it down verbatim.

Here is the new combofix report:

ComboFix 09-03-26.03 - Bryan 2009-03-30 15:27:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.586 [GMT -4:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bryan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\osisawegumesa.dll
c:\windows\Rgewu.dll
c:\windows\system32\11.tmp
c:\windows\system32\119.tmp
c:\windows\system32\12C.tmp
c:\windows\system32\12D.tmp
c:\windows\system32\134.tmp
c:\windows\system32\18.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\28.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\30.tmp
c:\windows\system32\35.tmp
c:\windows\system32\36.tmp
c:\windows\system32\58.tmp
c:\windows\system32\91.tmp
c:\windows\system32\BF.tmp
c:\windows\system32\C.tmp
c:\windows\system32\C0.tmp
c:\windows\system32\cic32.dll
c:\windows\system32\D.tmp
c:\windows\system32\drivers\aqxeodca.sys
c:\windows\system32\drivers\hxiauzhc.sys
c:\windows\system32\drivers\kdinqync.sys
c:\windows\system32\drivers\lkuylcoo.sys
c:\windows\system32\drivers\mtgletcp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bryan\Application Data\020000000322f95d530C.manifest
c:\documents and settings\Bryan\Application Data\020000000322f95d530O.manifest
c:\documents and settings\Bryan\Application Data\020000000322f95d530P.manifest
c:\documents and settings\Bryan\Application Data\020000000322f95d530S.manifest
c:\windows\GnuHashes.ini
c:\windows\osisawegumesa.dll
c:\windows\Rgewu.dll
c:\windows\system32\__c003119.dat
c:\windows\system32\__c0034D65.dat
c:\windows\system32\__c009F39E.dat
c:\windows\system32\__c00A627C.dat
c:\windows\system32\__c00D441.dat
c:\windows\system32\11.tmp
c:\windows\system32\119.tmp
c:\windows\system32\12C.tmp
c:\windows\system32\12D.tmp
c:\windows\system32\134.tmp
c:\windows\system32\18.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\28.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\30.tmp
c:\windows\system32\35.tmp
c:\windows\system32\36.tmp
c:\windows\system32\58.tmp
c:\windows\system32\9.tmp
c:\windows\system32\91.tmp
c:\windows\system32\A.tmp
c:\windows\system32\BF.tmp
c:\windows\system32\C.tmp
c:\windows\system32\C0.tmp
c:\windows\system32\cic32.dll
c:\windows\system32\D.tmp
c:\windows\system32\E.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\LocalService32
c:\windows\system32\LocalService32\50.crack.zip.kwd
c:\windows\system32\LocalService32\52.keymaker.zip.kwd
c:\windows\system32\LocalService32\53.serial.zip.kwd
c:\windows\system32\NetworkService32
c:\windows\system32\NetworkService32\65.music.snd.kwd
c:\windows\system32\NetworkService32\66.music.au.kwd
c:\windows\system32\NetworkService32\67.crack.zip
c:\windows\system32\NetworkService32\67.crack.zip.kwd
c:\windows\system32\NetworkService32\68.keygen.zip
c:\windows\system32\NetworkService32\68.keygen.zip.kwd
c:\windows\system32\NetworkService32\69.serial.zip
c:\windows\system32\NetworkService32\69.serial.zip.kwd
c:\windows\system32\NetworkService32\70.setup.zip
c:\windows\system32\NetworkService32\70.setup.zip.kwd
c:\windows\system32\NetworkService32\72.music.mp3
c:\windows\system32\NetworkService32\72.music.mp3.kwd
c:\windows\system32\NetworkService32\73.music.snd
c:\windows\system32\NetworkService32\73.music.snd.kwd
c:\windows\system32\NetworkService32\74.music.au
c:\windows\system32\NetworkService32\74.music.au.kwd
c:\windows\system32\NetworkService32\75.music.wav
c:\windows\system32\NetworkService32\75.music.wav.kwd
c:\windows\system32\NetworkService32\76.crack.zip
c:\windows\system32\NetworkService32\76.crack.zip.kwd
c:\windows\system32\NetworkService32\77.keygen.zip
c:\windows\system32\NetworkService32\77.keygen.zip.kwd
c:\windows\system32\NetworkService32\78.serial.zip
c:\windows\system32\NetworkService32\78.serial.zip.kwd
c:\windows\system32\NetworkService32\79.setup.zip
c:\windows\system32\NetworkService32\79.setup.zip.kwd
c:\windows\system32\NetworkService32\80.music.mp3
c:\windows\system32\NetworkService32\80.music.mp3.kwd
c:\windows\system32\NetworkService32\81.music.snd
c:\windows\system32\NetworkService32\81.music.snd.kwd
c:\windows\system32\NetworkService32\83.music.au
c:\windows\system32\NetworkService32\83.music.au.kwd
c:\windows\system32\NetworkService32\84.video.wmv
c:\windows\system32\NetworkService32\84.video.wmv.kwd
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aqxeodca
-------\Service_hxiauzhc
-------\Service_kdinqync
-------\Service_lkuylcoo
-------\Service_mtgletcp


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 14:23 . 2009-03-30 14:23 0 --a------ c:\windows\system32\48.tmp
2009-03-30 14:23 . 2009-03-30 14:23 0 --a------ c:\windows\system32\47.tmp
2009-03-28 10:37 . 2009-03-28 10:37 0 --a------ c:\windows\system32\3E.tmp
2009-03-28 10:37 . 2009-03-28 10:37 0 --a------ c:\windows\system32\3D.tmp
2009-03-28 02:34 . 2009-03-28 02:34 374,272 --ahs---- c:\windows\system32\29.tmp
2009-03-25 18:31 . 2009-03-25 18:47 <DIR> d-------- C:\rsit
2009-03-25 18:31 . 2009-03-27 11:35 <DIR> d-------- c:\program files\trend micro
2009-03-14 03:02 . 2009-03-14 03:02 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-14 03:02 . 2009-03-14 03:02 206 --a------ c:\windows\system32\MRT.INI
2009-02-26 12:17 . 2009-02-26 12:17 0 --a------ c:\windows\system32\52.tmp
2009-02-26 12:16 . 2009-02-26 12:16 0 --a------ c:\windows\system32\51.tmp
2009-02-25 15:26 . 2009-02-25 15:26 374,272 --ahs---- c:\windows\system32\12.tmp
2009-02-25 14:31 . 2009-02-25 14:31 0 --a------ c:\windows\system32\216.tmp
2009-02-25 14:31 . 2009-02-25 14:31 0 --a------ c:\windows\system32\215.tmp
2009-02-24 13:21 . 2009-02-24 13:21 0 --a------ c:\windows\system32\17.tmp
2009-02-24 13:21 . 2009-02-24 13:21 0 --a------ c:\windows\system32\16.tmp
2009-02-23 11:16 . 2009-02-23 11:16 <DIR> d-------- c:\program files\XoftSpySE
2009-02-22 05:10 . 2009-02-22 05:10 374,272 --ahs---- c:\windows\system32\3C4.tmp
2009-02-22 05:10 . 2009-02-22 05:10 374,272 --ahs---- c:\windows\system32\3C2.tmp
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-12 18:16 . 2009-02-12 18:16 <DIR> d-------- c:\documents and settings\Bryan\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-12 16:31 . 2009-02-12 16:31 <DIR> d-------- c:\program files\PureEdge
2009-02-12 16:31 . 2009-02-12 16:31 <DIR> d-------- c:\documents and settings\Bryan\Application Data\PureEdge
2009-02-12 16:31 . 2009-02-12 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\PureEdge
2009-02-12 16:31 . 2003-11-21 19:02 2,101,248 --a------ c:\windows\system32\pe_cc.dll
2009-02-12 16:31 . 2003-11-21 19:02 1,167,360 --a------ c:\windows\system32\pe_java.dll
2009-02-12 16:31 . 2003-11-21 19:02 712,704 --a------ c:\windows\system32\uwi_java.dll
2009-02-12 16:31 . 2003-02-21 13:44 172,032 --a------ c:\windows\system32\SSCE5332.dll
2009-02-12 16:31 . 2003-02-21 11:44 167,936 --a------ c:\windows\system32\MSQOLE.DLL
2009-02-12 16:31 . 2009-02-12 16:31 61 --a------ c:\windows\PureEdgeAPI.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 17:19 700,416 ----a-w C:\StubInstaller.exe
2009-03-30 19:35 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-27 15:15 --------- d-----w c:\program files\Lx_cats
2009-03-20 15:21 --------- d-----w c:\documents and settings\Bryan\Application Data\WeatherBug
2009-02-15 07:00 --------- d-----w c:\program files\LimeWire
2009-02-12 20:31 --------- d--h--w c:\program files\InstallShield Installation Information
2005-02-08 16:56 442 ----a-w c:\program files\Shortcut to AIM.lnk
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_11.33.42.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-09 02:14:57 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-27 15:33:29 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-09 02:14:57 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-27 15:33:29 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\progra~1\AIM\aim.exe" [2006-08-01 67112]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 275968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-30 180269]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 473928]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 77312]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-09-27 114688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-19 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-01-30 08:57 101888 c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-01-30 14:57 260096 c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA Games\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\progra~1\\mozill~1\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddwbgw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11484:TCP"= 11484:TCP:BND

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [2003-07-02 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [2003-07-02 124160]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service;c:\program files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-03-19 99248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [2004-09-29 14092]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-04-06 64088]
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Fposaben - c:\windows\Rgewu.dll
HKLM-Run-Qkofukaqib - c:\windows\osisawegumesa.dll
Notify-__c00D441 - c:\windows\system32\__c00D441.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\8i5hi0bc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\8i5hi0bc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 15:36:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\scardsvr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-30 15:39:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 19:39:42
ComboFix2.txt 2009-03-27 15:34:22

Pre-Run: 185,677,209,600 bytes free
Post-Run: 185,590,083,584 bytes free

324 --- E O F --- 2009-03-30 18:46:30

And Here is the new HJT report:


Logfile of random's system information tool 1.06 (written by random/random)
Run by Bryan at 2009-03-30 15:41:00
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 177 GB (74%) free of 238 GB
Total RAM: 1023 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:02 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bryan\Desktop\RSIT.exe
C:\Program Files\trend micro\Bryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096307220389
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram11c.vcu.edu/dwa7W.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9816 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2004-09-30 163840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-03-27 53248]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-11-30 344064]
"NeroCheck"=C:\WINDOWS\System32\\NeroCheck.exe [2001-07-09 155648]
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2006-11-10 275968]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-03-30 180269]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
"lxddmon.exe"=C:\Program Files\Lexmark 2500 Series\lxddmon.exe [2007-06-11 291760]
"lxddamon"=C:\Program Files\Lexmark 2500 Series\lxddamon.exe [2007-04-30 20480]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2007-06-11 312240]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /install []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.0\masqform.exe [2003-12-03 1052672]
"gcasServ"=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [2005-07-12 473928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"=C:\PROGRA~1\AIM\aim.exe [2006-08-01 67112]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe [2004-09-09 1597440]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 389120]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2007-01-30 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2007-01-30 260096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=C:\Program Files\Microsoft AntiSpyware\shellextension.dll [2005-06-24 101080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe"="C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\WINDOWS\system32\lxddcoms.exe"="C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 2500 Series\App4R.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"c:\progra~1\mozill~1\firefox.exe"="c:\progra~1\mozill~1\firefox.exe:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled: "
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Lexmark 2500 Series\app4r.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-30 15:39:46 ----D---- C:\WINDOWS\temp
2009-03-30 15:39:45 ----A---- C:\ComboFix.txt
2009-03-30 14:23:49 ----A---- C:\WINDOWS\system32\48.tmp
2009-03-30 14:23:49 ----A---- C:\WINDOWS\system32\47.tmp
2009-03-28 10:37:29 ----A---- C:\WINDOWS\system32\3E.tmp
2009-03-28 10:37:24 ----A---- C:\WINDOWS\system32\3D.tmp
2009-03-28 02:34:25 ----ASH---- C:\WINDOWS\system32\29.tmp
2009-03-27 11:25:10 ----A---- C:\Boot.bak
2009-03-27 11:25:05 ----RASHD---- C:\cmdcons
2009-03-27 11:18:58 ----A---- C:\WINDOWS\zip.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\VFIND.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWSC.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWREG.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\sed.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\grep.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\fdsv.exe
2009-03-27 11:18:49 ----D---- C:\WINDOWS\ERDNT
2009-03-27 11:18:47 ----D---- C:\Qoobox
2009-03-25 18:31:37 ----D---- C:\rsit
2009-03-25 18:31:37 ----D---- C:\Program Files\trend micro
2009-03-14 03:02:01 ----D---- C:\WINDOWS\system32\MpEngineStore
2009-03-14 03:02:01 ----A---- C:\WINDOWS\system32\MRT.INI
2009-03-11 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$

======List of files/folders modified in the last 1 months======

2010-01-04 13:19:48 ----A---- C:\StubInstaller.exe
2010-01-04 12:56:26 ----A---- C:\WINDOWS\ODBC.INI
2010-01-03 19:24:41 ----SHD---- C:\System Volume Information
2010-01-03 19:24:41 ----D---- C:\WINDOWS\system32\Restore
2009-03-30 15:39:48 ----SHD---- C:\WINDOWS\system32
2009-03-30 15:39:47 ----D---- C:\WINDOWS\system32\drivers
2009-03-30 15:39:46 ----D---- C:\WINDOWS
2009-03-30 15:38:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-30 15:37:57 ----SD---- C:\WINDOWS\Tasks
2009-03-30 15:36:23 ----A---- C:\WINDOWS\system.ini
2009-03-30 15:35:07 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-03-30 15:33:28 ----D---- C:\WINDOWS\system32\config
2009-03-30 15:30:25 ----D---- C:\WINDOWS\AppPatch
2009-03-30 15:30:19 ----D---- C:\Program Files\Common Files
2009-03-30 15:27:37 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-30 15:23:56 ----D---- C:\Documents and Settings
2009-03-30 15:23:27 ----D---- C:\Program Files\Mozilla Firefox
2009-03-30 14:26:58 ----SHD---- C:\WINDOWS\Installer
2009-03-30 14:26:53 ----A---- C:\WINDOWS\OEWABLog.txt
2009-03-27 16:12:59 ----D---- C:\WINDOWS\Prefetch
2009-03-27 11:33:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-27 11:26:07 ----RD---- C:\Program Files
2009-03-27 11:25:10 ----RASH---- C:\boot.ini
2009-03-27 11:22:22 ----D---- C:\WINDOWS\network diagnostic
2009-03-27 11:15:44 ----D---- C:\Program Files\Lx_cats
2009-03-20 11:21:48 ----D---- C:\Documents and Settings\Bryan\Application Data\WeatherBug
2009-03-19 11:15:02 ----D---- C:\WINDOWS\Minidump
2009-03-11 03:01:16 ----HD---- C:\WINDOWS\inf
2009-03-11 03:01:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-11 03:01:10 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 23:11:49 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 Winflash;Winflash; C:\WINDOWS\system32\drivers\Winflash.sys [2001-11-30 3538]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-08 19915]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-01 719052]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys [2005-04-21 242176]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2003-10-23 253672]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS []
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2006-12-05 29184]
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2003-11-08 12953]
S3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-11-07 51486]
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\System32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
S3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SCR131C;SCRx31 Serial Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 64088]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acachsrv;ActivClient Authentication Service; C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service; C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 lxdd_device;lxdd_device; C:\WINDOWS\system32\lxddcoms.exe [2007-05-25 537520]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R2 Movielink Core Service;Movielink Core Service; C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE [2006-05-26 1115744]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-11-30 516096]
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Thanks again.

Sincerely,
bmyronstyle


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 30 March 2009 - 05:15 PM

Hello,

Yes, all the illegal stuff you downloaded is wreaking havoc. Errors are to be expected until it gets clean.

Uninstall Microsoft Antispyware. It's outdated by years now and is doing you no good.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
File::
c:\windows\system32\48.tmp
c:\windows\system32\47.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\3D.tmp
c:\windows\system32\29.tmp
c:\windows\system32\52.tmp
c:\windows\system32\51.tmp
c:\windows\system32\12.tmp
c:\windows\system32\216.tmp
c:\windows\system32\215.tmp
c:\windows\system32\17.tmp
c:\windows\system32\16.tmp
c:\windows\system32\3C4.tmp
c:\windows\system32\3C2.tmp


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (please do reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 bmyronstyle

bmyronstyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 30 March 2009 - 09:23 PM

teacup61,

Here's the new ComboFix report:

ComboFix 09-03-26.03 - Bryan 2009-03-30 21:59:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.648 [GMT -4:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bryan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\12.tmp
c:\windows\system32\16.tmp
c:\windows\system32\17.tmp
c:\windows\system32\215.tmp
c:\windows\system32\216.tmp
c:\windows\system32\29.tmp
c:\windows\system32\3C2.tmp
c:\windows\system32\3C4.tmp
c:\windows\system32\3D.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\47.tmp
c:\windows\system32\48.tmp
c:\windows\system32\51.tmp
c:\windows\system32\52.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\12.tmp
c:\windows\system32\16.tmp
c:\windows\system32\17.tmp
c:\windows\system32\215.tmp
c:\windows\system32\216.tmp
c:\windows\system32\29.tmp
c:\windows\system32\3C2.tmp
c:\windows\system32\3C4.tmp
c:\windows\system32\3D.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\47.tmp
c:\windows\system32\48.tmp
c:\windows\system32\51.tmp
c:\windows\system32\52.tmp

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-25 18:31 . 2009-03-25 18:47 <DIR> d-------- C:\rsit
2009-03-25 18:31 . 2009-03-30 15:41 <DIR> d-------- c:\program files\trend micro
2009-03-14 03:02 . 2009-03-14 03:02 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-14 03:02 . 2009-03-14 03:02 206 --a------ c:\windows\system32\MRT.INI
2009-02-23 11:16 . 2009-02-23 11:16 <DIR> d-------- c:\program files\XoftSpySE
2009-02-12 18:17 . 2009-02-12 18:17 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-12 18:16 . 2009-02-12 18:16 <DIR> d-------- c:\documents and settings\Bryan\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-02-12 16:31 . 2009-02-12 16:31 <DIR> d-------- c:\program files\PureEdge
2009-02-12 16:31 . 2009-02-12 16:31 <DIR> d-------- c:\documents and settings\Bryan\Application Data\PureEdge
2009-02-12 16:31 . 2009-02-12 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\PureEdge
2009-02-12 16:31 . 2003-11-21 19:02 2,101,248 --a------ c:\windows\system32\pe_cc.dll
2009-02-12 16:31 . 2003-11-21 19:02 1,167,360 --a------ c:\windows\system32\pe_java.dll
2009-02-12 16:31 . 2003-11-21 19:02 712,704 --a------ c:\windows\system32\uwi_java.dll
2009-02-12 16:31 . 2003-02-21 13:44 172,032 --a------ c:\windows\system32\SSCE5332.dll
2009-02-12 16:31 . 2003-02-21 11:44 167,936 --a------ c:\windows\system32\MSQOLE.DLL
2009-02-12 16:31 . 2009-02-12 16:31 61 --a------ c:\windows\PureEdgeAPI.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 17:19 700,416 ----a-w C:\StubInstaller.exe
2009-03-31 02:04 --------- d-----w c:\program files\Microsoft AntiSpyware
2009-03-30 20:12 --------- d-----w c:\program files\Lx_cats
2009-03-20 15:21 --------- d-----w c:\documents and settings\Bryan\Application Data\WeatherBug
2009-02-15 07:00 --------- d-----w c:\program files\LimeWire
2009-02-12 20:31 --------- d--h--w c:\program files\InstallShield Installation Information
2005-02-08 16:56 442 ----a-w c:\program files\Shortcut to AIM.lnk
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_11.33.42.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-09 02:14:57 64,372 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-27 15:33:29 64,372 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-09 02:14:57 409,232 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-27 15:33:29 409,232 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\progra~1\AIM\aim.exe" [2006-08-01 67112]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2006-11-10 275968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-30 180269]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.0\masqform.exe" [2003-12-03 1052672]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 473928]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2006-11-10 77312]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-09-27 114688]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-19 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-01-30 08:57 101888 c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-01-30 14:57 260096 c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA Games\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\progra~1\\mozill~1\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddwbgw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11484:TCP"= 11484:TCP:BND

R0 axwhisky;axwhisky;c:\windows\system32\drivers\axwhisky.sys [2003-07-02 5248]
R0 axwskbus;axwskbus;c:\windows\system32\drivers\axwskbus.sys [2003-07-02 124160]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service;c:\program files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2008-03-19 99248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [2004-09-29 14092]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-04-06 64088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\8i5hi0bc.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\8i5hi0bc.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07100121.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 22:05:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\lxddcoms.exe
c:\progra~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-30 22:09:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 02:08:58
ComboFix2.txt 2009-03-30 19:39:45
ComboFix3.txt 2009-03-27 15:34:22

Pre-Run: 185,616,891,904 bytes free
Post-Run: 185,603,076,096 bytes free

227 --- E O F --- 2009-03-30 18:46:30

And new HJT:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Bryan at 2009-03-30 22:11:25
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 177 GB (74%) free of 238 GB
Total RAM: 1023 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:27 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Bryan\Desktop\RSIT.exe
C:\Program Files\trend micro\Bryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096307220389
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram11c.vcu.edu/dwa7W.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9919 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2004-09-30 163840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-03-27 53248]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-11-30 344064]
"NeroCheck"=C:\WINDOWS\System32\\NeroCheck.exe [2001-07-09 155648]
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2006-11-10 275968]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-03-30 180269]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
"lxddmon.exe"=C:\Program Files\Lexmark 2500 Series\lxddmon.exe [2007-06-11 291760]
"lxddamon"=C:\Program Files\Lexmark 2500 Series\lxddamon.exe [2007-04-30 20480]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2007-06-11 312240]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /install []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.0\masqform.exe [2003-12-03 1052672]
"gcasServ"=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [2005-07-12 473928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"=C:\PROGRA~1\AIM\aim.exe [2006-08-01 67112]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe [2004-09-09 1597440]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 389120]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2007-01-30 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2007-01-30 260096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=C:\Program Files\Microsoft AntiSpyware\shellextension.dll [2005-06-24 101080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe"="C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\WINDOWS\system32\lxddcoms.exe"="C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 2500 Series\App4R.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"c:\progra~1\mozill~1\firefox.exe"="c:\progra~1\mozill~1\firefox.exe:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled: "
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Lexmark 2500 Series\app4r.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-30 22:09:02 ----D---- C:\WINDOWS\temp
2009-03-30 22:09:02 ----A---- C:\ComboFix.txt
2009-03-27 11:25:10 ----A---- C:\Boot.bak
2009-03-27 11:25:05 ----RASHD---- C:\cmdcons
2009-03-27 11:18:58 ----A---- C:\WINDOWS\zip.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\VFIND.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWSC.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWREG.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\sed.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\grep.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\fdsv.exe
2009-03-27 11:18:49 ----D---- C:\WINDOWS\ERDNT
2009-03-27 11:18:47 ----D---- C:\Qoobox
2009-03-25 18:31:37 ----D---- C:\rsit
2009-03-25 18:31:37 ----D---- C:\Program Files\trend micro
2009-03-14 03:02:01 ----D---- C:\WINDOWS\system32\MpEngineStore
2009-03-14 03:02:01 ----A---- C:\WINDOWS\system32\MRT.INI
2009-03-11 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$

======List of files/folders modified in the last 1 months======

2010-01-04 13:19:48 ----A---- C:\StubInstaller.exe
2010-01-04 12:56:26 ----A---- C:\WINDOWS\ODBC.INI
2010-01-03 19:24:41 ----SHD---- C:\System Volume Information
2010-01-03 19:24:41 ----D---- C:\WINDOWS\system32\Restore
2009-03-30 22:09:04 ----SHD---- C:\WINDOWS\system32
2009-03-30 22:09:04 ----D---- C:\WINDOWS\system32\drivers
2009-03-30 22:09:02 ----D---- C:\WINDOWS
2009-03-30 22:08:07 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-30 22:07:08 ----SD---- C:\WINDOWS\Tasks
2009-03-30 22:05:40 ----A---- C:\WINDOWS\system.ini
2009-03-30 22:04:19 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-03-30 22:02:12 ----D---- C:\WINDOWS\AppPatch
2009-03-30 22:02:03 ----D---- C:\Program Files\Common Files
2009-03-30 21:59:40 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-30 16:12:51 ----D---- C:\Program Files\Lx_cats
2009-03-30 15:43:15 ----D---- C:\Program Files\Mozilla Firefox
2009-03-30 15:33:28 ----D---- C:\WINDOWS\system32\config
2009-03-30 15:23:56 ----D---- C:\Documents and Settings
2009-03-30 14:26:58 ----SHD---- C:\WINDOWS\Installer
2009-03-30 14:26:53 ----A---- C:\WINDOWS\OEWABLog.txt
2009-03-27 16:12:59 ----D---- C:\WINDOWS\Prefetch
2009-03-27 11:33:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-27 11:26:07 ----RD---- C:\Program Files
2009-03-27 11:25:10 ----RASH---- C:\boot.ini
2009-03-27 11:22:22 ----D---- C:\WINDOWS\network diagnostic
2009-03-20 11:21:48 ----D---- C:\Documents and Settings\Bryan\Application Data\WeatherBug
2009-03-19 11:15:02 ----D---- C:\WINDOWS\Minidump
2009-03-11 03:01:16 ----HD---- C:\WINDOWS\inf
2009-03-11 03:01:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-11 03:01:10 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 23:11:49 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 Winflash;Winflash; C:\WINDOWS\system32\drivers\Winflash.sys [2001-11-30 3538]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-08 19915]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-01 719052]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys [2005-04-21 242176]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2003-10-23 253672]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS []
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2006-12-05 29184]
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2003-11-08 12953]
S3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-11-07 51486]
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\System32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
S3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SCR131C;SCRx31 Serial Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 64088]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acachsrv;ActivClient Authentication Service; C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service; C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 lxdd_device;lxdd_device; C:\WINDOWS\system32\lxddcoms.exe [2007-05-25 537520]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R2 Movielink Core Service;Movielink Core Service; C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE [2006-05-26 1115744]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-11-30 516096]
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

I'm pretty sure stuff is still here, I know this'll be a lengthly process. Every time I run Firefox after rebooting the computer, it asks me if I want to set as default browser and I always click yes with the remember action box checked. Also I've noticed that the icons in my task tray are enlarged, something that I remembered when I had a Trojan years ago. Will also remove Microsoft Antispyware, need to read how to remove it completely, just deleting folders didn't do the trick. Thanks. :thumbup2:

Sincerely,

bmyronstyle

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 30 March 2009 - 09:57 PM

Hello,

Looking better, even though things still aren't right. :thumbup2:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 bmyronstyle

bmyronstyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 31 March 2009 - 03:48 PM

Hey tea,

MBAM report:

Malwarebytes' Anti-Malware 1.35
Database version: 1925
Windows 5.1.2600 Service Pack 3

3/31/2009 4:31:59 PM
mbam-log-2009-03-31 (16-31-59).txt

Scan type: Quick Scan
Objects scanned: 77280
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT report:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Bryan at 2009-03-31 16:43:27
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 177 GB (74%) free of 238 GB
Total RAM: 1023 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:29 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bryan\Desktop\RSIT.exe
C:\Program Files\trend micro\Bryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096307220389
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram11c.vcu.edu/dwa7W.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: ActivClient Authentication Service (acachsrv) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9905 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2004-09-30 163840]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2003-03-27 53248]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-11-30 344064]
"NeroCheck"=C:\WINDOWS\System32\\NeroCheck.exe [2001-07-09 155648]
"accrdsub"=C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [2006-11-10 275968]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-03-30 180269]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
"lxddmon.exe"=C:\Program Files\Lexmark 2500 Series\lxddmon.exe [2007-06-11 291760]
"lxddamon"=C:\Program Files\Lexmark 2500 Series\lxddamon.exe [2007-04-30 20480]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2007-06-11 312240]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /install []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.0\masqform.exe [2003-12-03 1052672]
"gcasServ"=C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [2005-07-12 473928]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"=C:\PROGRA~1\AIM\aim.exe [2006-08-01 67112]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe [2004-09-09 1597440]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-04-02 389120]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
ActivClient Agent.lnk - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll [2007-01-30 101888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll [2007-01-30 260096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-09-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=C:\Program Files\Microsoft AntiSpyware\shellextension.dll [2005-06-24 101080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\dxdiag.exe"="C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool"
"C:\WINDOWS\system32\dpnsvr.exe"="C:\WINDOWS\system32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe"="C:\Program Files\EA Games\Medal of Honor Pacific Assault™\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\WINDOWS\system32\lxddcoms.exe"="C:\WINDOWS\system32\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 2500 Series\App4R.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"c:\progra~1\mozill~1\firefox.exe"="c:\progra~1\mozill~1\firefox.exe:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddwbgw.exe:*:Enabled: "
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddpswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddjswx.exe:*:Enabled: "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddtime.exe:*:Enabled: "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Lexmark 2500 Series\app4r.exe"="C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-31 16:27:39 ----D---- C:\Documents and Settings\Bryan\Application Data\Malwarebytes
2009-03-31 16:27:35 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-31 16:27:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-30 22:09:02 ----D---- C:\WINDOWS\temp
2009-03-30 22:09:02 ----A---- C:\ComboFix.txt
2009-03-27 11:25:10 ----A---- C:\Boot.bak
2009-03-27 11:25:05 ----RASHD---- C:\cmdcons
2009-03-27 11:18:58 ----A---- C:\WINDOWS\zip.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\VFIND.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWSC.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\SWREG.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\sed.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\grep.exe
2009-03-27 11:18:58 ----A---- C:\WINDOWS\fdsv.exe
2009-03-27 11:18:49 ----D---- C:\WINDOWS\ERDNT
2009-03-27 11:18:47 ----D---- C:\Qoobox
2009-03-25 18:31:37 ----D---- C:\rsit
2009-03-25 18:31:37 ----D---- C:\Program Files\trend micro
2009-03-14 03:02:01 ----D---- C:\WINDOWS\system32\MpEngineStore
2009-03-14 03:02:01 ----A---- C:\WINDOWS\system32\MRT.INI
2009-03-11 03:01:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$

======List of files/folders modified in the last 1 months======

2010-01-04 13:19:48 ----A---- C:\StubInstaller.exe
2010-01-04 12:56:26 ----A---- C:\WINDOWS\ODBC.INI
2010-01-03 19:24:41 ----SHD---- C:\System Volume Information
2010-01-03 19:24:41 ----D---- C:\WINDOWS\system32\Restore
2009-03-31 16:42:08 ----SD---- C:\WINDOWS\Tasks
2009-03-31 16:40:38 ----D---- C:\WINDOWS\Prefetch
2009-03-31 16:39:15 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-03-31 16:37:36 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-31 16:27:38 ----D---- C:\WINDOWS\system32\drivers
2009-03-31 16:27:34 ----RD---- C:\Program Files
2009-03-31 16:25:42 ----D---- C:\Program Files\Lx_cats
2009-03-31 09:57:36 ----D---- C:\Program Files\Mozilla Firefox
2009-03-30 22:09:04 ----SHD---- C:\WINDOWS\system32
2009-03-30 22:09:02 ----D---- C:\WINDOWS
2009-03-30 22:08:07 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-30 22:05:40 ----A---- C:\WINDOWS\system.ini
2009-03-30 22:02:12 ----D---- C:\WINDOWS\AppPatch
2009-03-30 22:02:03 ----D---- C:\Program Files\Common Files
2009-03-30 15:33:28 ----D---- C:\WINDOWS\system32\config
2009-03-30 15:23:56 ----D---- C:\Documents and Settings
2009-03-30 14:26:58 ----SHD---- C:\WINDOWS\Installer
2009-03-30 14:26:53 ----A---- C:\WINDOWS\OEWABLog.txt
2009-03-27 11:33:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-27 11:25:10 ----RASH---- C:\boot.ini
2009-03-27 11:22:22 ----D---- C:\WINDOWS\network diagnostic
2009-03-20 11:21:48 ----D---- C:\Documents and Settings\Bryan\Application Data\WeatherBug
2009-03-19 11:15:02 ----D---- C:\WINDOWS\Minidump
2009-03-11 03:01:16 ----HD---- C:\WINDOWS\inf
2009-03-11 03:01:15 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-11 03:01:10 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 23:11:49 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 Winflash;Winflash; C:\WINDOWS\system32\drivers\Winflash.sys [2001-11-30 3538]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-08 19915]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2003-04-01 719052]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 RT2500;Linksys Wireless-G PCI Adapter Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys [2005-04-21 242176]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2003-10-23 253672]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-09-29 2456064]
S3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2003-05-21 175360]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\System32\DRIVERS\ENTECH.SYS []
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2006-12-05 29184]
S3 itchfltr;iTouch Keyboard Filter; C:\WINDOWS\system32\DRIVERS\itchfltr.sys [2003-11-08 12953]
S3 L8042pr2;Logitech PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-11-07 51486]
S3 LCcfltr;Logitech USB Filter Driver; C:\WINDOWS\System32\Drivers\LCcFltr.Sys [2003-11-07 14092]
S3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-11-07 25502]
S3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-11-07 37884]
S3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-11-07 70798]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SCR131C;SCRx31 Serial Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR131C.sys [2002-11-07 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader; C:\WINDOWS\system32\DRIVERS\SCR33X2K.sys [2004-04-06 64088]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 acachsrv;ActivClient Authentication Service; C:\Program Files\ActivIdentity\ActivClient\acachsrv.exe [2006-11-10 74240]
R2 acautoup;ActivClient Auto-Update Service; C:\Program Files\ActivIdentity\ActivClient\acautoup.exe [2006-11-10 26624]
R2 accoca;ActivClient Middleware Service; C:\Program Files\ActivIdentity\ActivClient\accoca.exe [2006-11-10 129536]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-09-12 554352]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2007-11-28 583048]
R2 lxdd_device;lxdd_device; C:\WINDOWS\system32\lxddcoms.exe [2007-05-25 537520]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R2 Movielink Core Service;Movielink Core Service; C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE [2006-05-26 1115744]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-09-29 483328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-11-30 516096]
S2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 WMP54Gv4SVC;WMP54Gv4SVC; C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2007-09-12 2999664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Slowly, but surely... :thumbup2:

-bmyronstyle

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 31 March 2009 - 05:06 PM

Hi there,

Might seem like a silly question, but have you tried the settings for the icons? You just never know what is going to be affected by this malware garbage. :thumbup2:

How is it running otherwise? :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 bmyronstyle

bmyronstyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 01 April 2009 - 03:12 PM

Tea,

I found how to fix the system tray, found someone with a similar problem and had to reset the Windows display settings to classic and then back to XP. Don't know how the icons were enlarged in the first place, but it fixed the problem. Thank you so much for your help, I don't have anymore annoying pop-ups and my searches on search engines are now back to normal. While the Trojan was active, the first page of results was always the same annoying websites that had nothing to do with my search. This has been a valuable lesson in taking greater care of my computer. :thumbup2:

Sincerely,

Bryan Smith
b_myronstyle

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 01 April 2009 - 03:32 PM

Hello there,

Glad you got it back to normal! :thumbup2: I knew it sounded like the settings, but since I can't see what you see I have to try and look at it through your eyes. Sometimes that isn't so easy. :)

Don't forget to uninstall MAS......it's just taking up space you could be using for other things now.

Your Java is way out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_13.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 04 April 2009 - 06:31 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users