Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with CatchMe


  • This topic is locked This topic is locked
23 replies to this topic

#1 kskreider

kskreider

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 12 April 2009 - 01:52 PM

So I started getting Google redirects about a day after my Symantec Endpoint Quarantined a trojan dropper. I performed some removal methods and seem to have the redirects under control. Here is my DDS log. Can someone tell me if this looks clean?


DDS (Ver_09-03-16.01) - NTFSx86
Run by keith at 11:48:37.71 on Mon 04/13/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2370 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\VIRUS FIX\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
StartupFolder: c:\docume~1\keith\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-ba7e-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202956145453
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
TCP: {F3736D52-08DD-48F4-BE59-CFC4487E1226} = 10.1.10.1
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\508\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keith\applic~1\mozilla\firefox\profiles\df84xtya.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.slickdeals.net/forumdisplay.php?sduid=23449&f=9|https://login.bellona.lunarservers.com:2083/frontend/lp/index.html|http://www.google.com/ig
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2008-4-22 17792]
R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-3-30 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [2009-3-30 971552]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-4-29 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-29 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090412.003\NAVENG.SYS [2009-4-12 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090412.003\NAVEX15.SYS [2009-4-12 876144]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-29 23888]
S3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\drivers\gbridge.sys [2008-7-22 36864]

=============== Created Last 30 ================

2009-04-12 11:05 <DIR> --d----- C:\ComboFix
2009-04-12 10:14 <DIR> a-dshr-- C:\cmdcons
2009-04-12 10:13 161,792 a------- c:\windows\SWREG.exe
2009-04-12 10:13 98,816 a------- c:\windows\sed.exe
2009-04-11 18:50 <DIR> --d----- c:\program files\Trend Micro
2009-04-11 17:21 <DIR> --d----- c:\docume~1\keith\applic~1\Malwarebytes
2009-04-11 17:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 17:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 17:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 17:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-11 17:04 <DIR> --d----- c:\documents and settings\keith\.housecall6.6
2009-03-30 12:19 971,552 a------- c:\windows\system32\drivers\tdrpm174.sys
2009-03-30 12:18 134,272 a------- c:\windows\system32\drivers\snman380.sys
2009-03-28 12:18 <DIR> --d----- c:\program files\AskPBar
2009-03-28 12:16 <DIR> --d----- c:\program files\Mozilla Thunderbird 3 Beta 2
2009-03-28 12:16 36,864 a------- c:\windows\system32\drivers\AmdK8.sys
2009-03-28 12:03 <DIR> --d----- c:\program files\RadarSync
2009-03-21 11:04 44,704 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-03-21 10:51 <DIR> --d----- c:\windows\system32\drivers\acronis
2009-03-18 14:40 <DIR> --d----- c:\program files\RapGet
2009-03-18 12:42 <DIR> --d----- c:\program files\JDownloader
2009-03-17 12:29 <DIR> --d----- c:\program files\eFileCabinet 4
2009-03-17 11:11 <DIR> --d----- c:\docume~1\keith\applic~1\eFileCabinet
2009-03-15 16:44 <DIR> --d----- C:\91aac401fb4b76de8224

==================== Find3M ====================

2009-04-09 15:55 9,216 a------- c:\program files\n
2009-04-02 17:39 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2009-04-02 17:39 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2009-04-02 17:39 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-03-30 14:44 848 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-03-30 12:19 540,000 a------- c:\windows\system32\drivers\timntr.sys
2009-03-18 14:16 270,539 a------- c:\program files\rapget141.rar
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-05 17:49 848 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:48:57.43 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 12 April 2009 - 06:19 PM

Hello kskreider,

Posted Image

I see you've run ComboFix. He he he.....CatchMe is part of ComboFix. This is why we don't want people using ComboFix without help.

Could you please post the report for me? Also, Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Post that log in your reply as well. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 kskreider

kskreider
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 13 April 2009 - 11:07 AM

Hijack this before I ran combofix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:41 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202956145453
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3736D52-08DD-48F4-BE59-CFC4487E1226}: NameServer = 10.1.10.1
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12077 bytes


ComboFix log:

ComboFix 09-04-12.03 - keith 2009-04-12 10:15.1 - NTFSx86
Running from: j:\virus fix\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\qoa.igj
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-12 01:50 . 2009-04-12 01:50 -------- d-----w c:\program files\Trend Micro
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\documents and settings\keith\Application Data\Malwarebytes
2009-04-12 00:21 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-12 00:21 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 00:04 . 2009-04-12 00:04 -------- d-----w c:\documents and settings\keith\.housecall6.6
2009-03-30 19:25 . 2009-03-30 19:25 -------- d-----w c:\documents and settings\keith\Application Data\Acronis
2009-03-30 19:19 . 2009-03-30 19:19 971552 ----a-w c:\windows\system32\drivers\tdrpm174.sys
2009-03-21 17:53 . 2009-03-30 19:18 -------- d-----w c:\program files\Acronis
2009-03-21 17:51 . 2009-03-21 17:51 -------- d-----w c:\windows\system32\drivers\acronis
2009-03-18 21:40 . 2009-03-18 21:41 -------- d-----w c:\program files\RapGet
2009-03-18 19:42 . 2009-03-18 21:02 -------- d-----w c:\program files\JDownloader
2009-03-17 19:29 . 2009-03-17 19:29 -------- d-----w c:\program files\eFileCabinet 4
2009-03-17 18:11 . 2009-04-12 17:03 -------- d-----w c:\documents and settings\keith\Application Data\eFileCabinet
2009-03-15 23:44 . 2009-03-16 15:44 -------- d-----w C:\91aac401fb4b76de8224

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 17:02 . 2009-03-28 19:16 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 2
2009-04-11 23:38 . 2008-08-21 17:09 -------- d-----w c:\documents and settings\keith\Application Data\Folding@home-x86
2009-04-11 21:36 . 2008-02-14 00:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 21:30 . 2008-08-12 20:17 -------- d-----w c:\documents and settings\keith\Application Data\foobar2000
2009-04-11 16:47 . 2009-01-07 18:21 -------- d-----w c:\documents and settings\keith\Application Data\TeraCopy
2009-04-09 22:55 . 2009-04-09 22:55 9216 ----a-w c:\program files\n
2009-04-08 18:36 . 2008-02-19 20:11 -------- d-----w c:\documents and settings\keith\Application Data\FileZilla
2009-04-03 14:41 . 2009-01-02 20:05 -------- d-----w c:\program files\Replay Media Catcher
2009-04-03 00:39 . 2009-01-02 20:07 156672 ----a-w c:\windows\system32\rmc_fixasf.exe
2009-04-03 00:39 . 2009-01-02 20:07 237568 ----a-w c:\windows\system32\rmc_rtspdl.dll
2009-04-03 00:39 . 2009-01-02 20:06 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-30 21:44 . 2008-12-09 20:59 848 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-03-30 19:19 . 2009-03-30 19:19 -------- d-----w c:\documents and settings\All Users\Application Data\Acronis
2009-03-30 19:19 . 2009-03-21 18:04 44704 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-03-30 19:19 . 2009-02-17 20:07 540000 ----a-w c:\windows\system32\drivers\timntr.sys
2009-03-30 19:18 . 2009-03-30 19:18 134272 ----a-w c:\windows\system32\drivers\snman380.sys
2009-03-30 19:18 . 2009-03-30 19:18 -------- d-----w c:\program files\Common Files\Acronis
2009-03-30 19:10 . 2008-02-14 00:30 -------- d-----w c:\program files\Trillian
2009-03-29 21:00 . 2009-03-28 19:03 -------- d-----w c:\program files\RadarSync
2009-03-28 20:41 . 2008-04-09 23:08 -------- d-----w c:\program files\FileZilla Client
2009-03-28 20:02 . 2008-02-14 00:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 19:31 . 2008-02-14 00:13 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-28 19:30 . 2009-03-28 19:30 -------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2009-03-28 19:29 . 2008-02-14 16:49 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-28 19:18 . 2009-03-28 19:18 -------- d-----w c:\program files\AskPBar
2009-03-28 19:17 . 2008-02-14 00:19 -------- d-----w c:\documents and settings\keith\Application Data\Thunderbird
2009-03-28 19:16 . 2009-03-28 19:16 -------- d-----w c:\program files\DIFX
2009-03-28 19:14 . 2009-02-03 01:58 -------- d-----w c:\program files\Yahoo!
2009-03-25 16:49 . 2009-03-25 16:48 -------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-22 18:26 . 2009-03-22 18:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-18 21:16 . 2009-03-18 21:16 270539 ----a-w c:\program files\rapget141.rar
2009-03-17 19:29 . 2008-02-14 00:10 -------- d-----w c:\documents and settings\All Users\Application Data\eFileCabinet
2009-03-17 19:28 . 2008-02-14 00:09 -------- d-----w c:\program files\eFileCabinet
2009-03-03 19:33 . 2008-03-13 16:25 -------- d-----w c:\program files\Citrix
2009-02-24 00:38 . 2008-02-13 23:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 23:12 . 2009-02-21 23:12 -------- d-----w c:\program files\Windows Installer Clean Up
2009-02-21 23:12 . 2008-02-27 20:06 -------- d-----w c:\program files\MSECache
2009-02-21 00:40 . 2009-02-20 23:07 -------- d-----w c:\program files\AutoStreamer
2009-02-18 18:25 . 2009-02-18 06:19 -------- d-----w c:\program files\Windows Live Safety Center
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-20 7680000]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-04-29 115560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-20 86016]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-20 4359280]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-20 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-20 377232]
"nwiz"="nwiz.exe" [2006-09-20 c:\windows\system32\nwiz.exe]

c:\documents and settings\keith\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-06-14 1873536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2008-02-13 25214]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-03 12:33 10536 c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
--a------ 2002-07-16 10:55 32768 c:\program files\Iomega\DriveIcons\deskup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
--a------ 2002-08-13 14:30 86016 c:\program files\Iomega\DriveIcons\Imgicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
--a------ 2008-11-14 17:08 83232 c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\DRIVERS\gbridge.sys [2008-07-22 36864]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2001-08-17 17792]
S0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\DRIVERS\snman380.sys [2009-03-30 134272]
S0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\DRIVERS\tdrpm174.sys [2009-03-30 971552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{694c2fa1-f93c-11dd-8c0f-000129f21375}]
\Shell\Shell00\Command - I:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80f40e5b-c32f-11dd-8bfa-000129f21375}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\nback.job
- D:\nback.bat [2007-10-02 09:16]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: {F3736D52-08DD-48F4-BE59-CFC4487E1226} = 10.1.10.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
FF - ProfilePath - c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\gle7i1rg.New User\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-616249376-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3956)
c:\program files\Trillian\events.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe
.
**************************************************************************
.
Completion time: 2009-04-12 10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-12 17:37

Pre-Run: 8,807,153,664 bytes free
Post-Run: 9,571,471,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

238 --- E O F --- 2009-03-16 15:44

HJT after ComboFix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:40 AM, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - S-1-5-18 Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202956145453
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3736D52-08DD-48F4-BE59-CFC4487E1226}: NameServer = 10.1.10.1
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12645 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 13 April 2009 - 10:35 PM

Hello,

Those look all right. :thumbup2: Can you tell me what this is? 2009-04-09 22:55 . 2009-04-09 22:55 9216 ----a-w c:\program files\n

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 kskreider

kskreider
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 14 April 2009 - 07:37 PM

Hello,

Those look all right. :thumbup2: Can you tell me what this is? 2009-04-09 22:55 . 2009-04-09 22:55 9216 ----a-w c:\program files\n


Thanks Tea. I cannot say what that "N" dir is as it is not there now. I did remove all of ComboFix and its remnants.

I have to admit that while I have done this a couple of times (ComboFix) it never ceases to amazes me that every situation is different. I have a separate machine at home that belongs to my wife which this happened to (nearly simultaneously) and I admit that I ran ComboFix on that one too, but with less success. She is still getting the redirects.

I will start a new thread for that one.

Thank you again.

Keith

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 14 April 2009 - 08:32 PM

Hi Keith,

You're welcome. :step4:

Yes, each case is different.....another reason we don't recommend using it on your own. There's more to it than meets the eye. :)

Glad all is well with yours. :thumbup2:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 20 April 2009 - 08:08 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by teacup61, 20 April 2009 - 09:28 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 kskreider

kskreider
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 April 2009 - 01:15 PM

Thanks for re-opening the thread. c:\program files\n is the dir in question as originally mentioned. It was quarantined last night and I still do not see the dir itself but something dropped a trojan last night. Here is my combofix log. please let me know how to proceed.

ComboFix 09-04-21.A8 - keith 04/21/2009 10:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2404 [GMT -7:00]
Running from: j:\virus fix\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-16 02:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 02:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:41 . 2009-04-14 19:40 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-12 17:55 . 2009-04-12 17:55 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-12 01:50 . 2009-04-12 01:50 -------- d-----w c:\program files\Trend Micro
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\documents and settings\keith\Application Data\Malwarebytes
2009-04-12 00:21 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-12 00:21 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 00:04 . 2009-04-12 00:04 -------- d-----w c:\documents and settings\keith\.housecall6.6
2009-03-30 19:25 . 2009-03-30 19:25 -------- d-----w c:\documents and settings\keith\Application Data\Acronis
2009-03-30 19:19 . 2009-03-30 19:19 971552 ----a-w c:\windows\system32\drivers\tdrpm174.sys
2009-03-30 19:19 . 2009-03-30 19:19 -------- d-----w c:\documents and settings\All Users\Application Data\Acronis
2009-03-30 19:18 . 2009-03-30 19:18 134272 ----a-w c:\windows\system32\drivers\snman380.sys
2009-03-30 19:18 . 2009-03-30 19:18 -------- d-----w c:\program files\Common Files\Acronis
2009-03-28 19:30 . 2009-03-28 19:30 -------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2009-03-28 19:18 . 2009-03-28 19:18 -------- d-----w c:\program files\AskPBar
2009-03-28 19:16 . 2009-04-21 17:04 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 2
2009-03-28 19:16 . 2009-03-28 19:16 -------- d-----w c:\program files\DIFX
2009-03-28 19:16 . 2006-07-02 05:39 36864 ----a-w c:\windows\system32\drivers\AmdK8.sys
2009-03-28 19:04 . 2009-03-28 19:04 -------- d-----w c:\documents and settings\keith\Local Settings\Application Data\RadarSync
2009-03-28 19:03 . 2009-03-29 21:00 -------- d-----w c:\program files\RadarSync
2009-03-25 16:49 . 2009-03-25 16:49 -------- d-----w c:\documents and settings\keith\Local Settings\Application Data\WinZip
2009-03-25 16:48 . 2009-03-25 16:49 -------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-22 18:26 . 2009-03-22 18:26 -------- d-----w c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 17:52 . 2008-02-14 00:30 -------- d-----w c:\program files\Trillian
2009-04-21 17:52 . 2008-02-19 20:11 -------- d-----w c:\documents and settings\keith\Application Data\FileZilla
2009-04-21 17:24 . 2009-03-17 18:11 -------- d-----w c:\documents and settings\keith\Application Data\eFileCabinet
2009-04-21 16:22 . 2008-12-09 20:59 848 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-21 16:12 . 2008-02-20 17:19 -------- d-----w c:\documents and settings\All Users\Application Data\Zylom
2009-04-21 00:10 . 2008-08-12 20:17 -------- d-----w c:\documents and settings\keith\Application Data\foobar2000
2009-04-20 16:05 . 2008-02-13 23:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 19:40 . 2009-01-05 21:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-14 19:39 . 2008-02-20 16:55 -------- d-----w c:\program files\Java
2009-04-12 17:03 . 2008-02-13 23:53 73120 ----a-w c:\documents and settings\keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 23:38 . 2008-08-21 17:09 -------- d-----w c:\documents and settings\keith\Application Data\Folding@home-x86
2009-04-11 21:36 . 2008-02-14 00:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 16:47 . 2009-01-07 18:21 -------- d-----w c:\documents and settings\keith\Application Data\TeraCopy
2009-04-03 14:41 . 2009-01-02 20:05 -------- d-----w c:\program files\Replay Media Catcher
2009-04-03 00:39 . 2009-01-02 20:07 156672 ----a-w c:\windows\system32\rmc_fixasf.exe
2009-04-03 00:39 . 2009-01-02 20:07 237568 ----a-w c:\windows\system32\rmc_rtspdl.dll
2009-04-03 00:39 . 2009-01-02 20:06 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-30 19:19 . 2009-03-21 18:04 44704 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-03-30 19:19 . 2009-02-17 20:07 540000 ----a-w c:\windows\system32\drivers\timntr.sys
2009-03-30 19:18 . 2009-03-21 17:53 -------- d-----w c:\program files\Acronis
2009-03-28 20:41 . 2008-04-09 23:08 -------- d-----w c:\program files\FileZilla Client
2009-03-28 20:02 . 2008-02-14 00:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 19:31 . 2008-02-14 00:13 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-28 19:29 . 2008-02-14 16:49 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-28 19:17 . 2008-02-14 00:19 -------- d-----w c:\documents and settings\keith\Application Data\Thunderbird
2009-03-28 19:14 . 2009-02-03 01:58 -------- d-----w c:\program files\Yahoo!
2009-03-18 21:41 . 2009-03-18 21:40 -------- d-----w c:\program files\RapGet
2009-03-18 21:16 . 2009-03-18 21:16 270539 ----a-w c:\program files\rapget141.rar
2009-03-18 21:02 . 2009-03-18 19:42 -------- d-----w c:\program files\JDownloader
2009-03-17 19:29 . 2008-02-14 00:10 -------- d-----w c:\documents and settings\All Users\Application Data\eFileCabinet
2009-03-17 19:29 . 2009-03-17 19:29 -------- d-----w c:\program files\eFileCabinet 4
2009-03-17 19:28 . 2008-02-14 00:09 -------- d-----w c:\program files\eFileCabinet
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 19:33 . 2008-03-13 16:25 -------- d-----w c:\program files\Citrix
2009-02-21 23:12 . 2009-02-21 23:12 -------- d-----w c:\program files\Windows Installer Clean Up
2009-02-21 23:12 . 2008-02-27 20:06 -------- d-----w c:\program files\MSECache
2009-02-21 00:40 . 2009-02-20 23:07 -------- d-----w c:\program files\AutoStreamer
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-06 01:54 . 2008-03-06 01:54 128 -c--a-w c:\documents and settings\keith\Local Settings\Application Data\fusioncache.dat
2008-12-06 00:49 . 2008-02-19 17:50 848 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-20 7680000]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-04-29 115560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-20 86016]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-09-20 1617920]

c:\documents and settings\keith\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-6-14 1873536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2008-2-13 25214]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-03 19:33 10536 ----a-w c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\eFileCabinet 4\\Client\\e4Search.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
R3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\DRIVERS\gbridge.sys [2008-07-22 36864]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2001-08-17 17792]
S0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\DRIVERS\snman380.sys [2009-03-30 134272]
S0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\DRIVERS\tdrpm174.sys [2009-03-30 971552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{694c2fa1-f93c-11dd-8c0f-000129f21375}]
\Shell\Shell00\Command - I:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80f40e5b-c32f-11dd-8bfa-000129f21375}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\nback.job
- D:\nback.bat [2006-05-05 16:16]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: {F3736D52-08DD-48F4-BE59-CFC4487E1226} = 10.1.10.1
FF - ProfilePath - c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\gle7i1rg.New User\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-616249376-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3684)
c:\program files\Trillian\events.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-04-21 11:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 18:02
ComboFix2.txt 2009-04-13 18:25

Pre-Run: 14,099,558,400 bytes free
Post-Run: 14,090,162,176 bytes free

242 --- E O F --- 2009-04-16 10:09

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 21 April 2009 - 01:28 PM

You're welcome. :thumbup2:

Do you know what this is? c:\windows\Tasks\nback.job
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 kskreider

kskreider
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 April 2009 - 01:30 PM

That is a scheduled task pointing at an XCopy script to back up a mapped drive to a second internal drive on this machine. "nback" for "network backup"

Edited by kskreider, 21 April 2009 - 01:32 PM.


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 21 April 2009 - 01:34 PM

Thanks. :thumbup2: Nothing came up on a search, but I wasn't going to nuke it without asking. :) That isn't a folder....it's a file c:\program files\n If it were a folder it would have said so in the CF report. Did you see a folder by that name in Program Files?

Please navigate to the following file:

c:\program files\n

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 kskreider

kskreider
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 April 2009 - 03:52 PM

Thanks. :thumbup2: Nothing came up on a search, but I wasn't going to nuke it without asking. :) That isn't a folder....it's a file c:\program files\n If it were a folder it would have said so in the CF report. Did you see a folder by that name in Program Files?

Please navigate to the following file:

c:\program files\n

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea


Hi Teacup,

I am unable to locate either a file or directory named c:\program files\n. If it existed last night it was quarantined by Symantec Endpoint and removed.

Keith

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 21 April 2009 - 03:59 PM

Hi,

Well we thought that before right? Let's be sure this time :


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\program files\n


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 kskreider

kskreider
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 21 April 2009 - 04:25 PM

ComboFix 09-04-22.02 - keith 04/21/2009 14:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2501 [GMT -7:00]
Running from: c:\documents and settings\keith\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\keith\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-21 21:03 . 2009-04-21 21:03 -------- d-----w c:\windows\system32\KB905474
2009-04-21 21:03 . 2009-03-11 05:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-21 21:03 . 2009-03-11 05:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-21 21:03 . 2009-02-10 01:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-16 02:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:20 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 02:20 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:41 . 2009-04-14 19:40 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-12 17:55 . 2009-04-12 17:55 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-12 01:50 . 2009-04-12 01:50 -------- d-----w c:\program files\Trend Micro
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\documents and settings\keith\Application Data\Malwarebytes
2009-04-12 00:21 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-12 00:21 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-12 00:21 . 2009-04-12 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 00:04 . 2009-04-12 00:04 -------- d-----w c:\documents and settings\keith\.housecall6.6
2009-03-30 19:25 . 2009-03-30 19:25 -------- d-----w c:\documents and settings\keith\Application Data\Acronis
2009-03-30 19:19 . 2009-03-30 19:19 971552 ----a-w c:\windows\system32\drivers\tdrpm174.sys
2009-03-30 19:19 . 2009-03-30 19:19 -------- d-----w c:\documents and settings\All Users\Application Data\Acronis
2009-03-30 19:18 . 2009-03-30 19:18 134272 ----a-w c:\windows\system32\drivers\snman380.sys
2009-03-30 19:18 . 2009-03-30 19:18 -------- d-----w c:\program files\Common Files\Acronis
2009-03-28 19:30 . 2009-03-28 19:30 -------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2009-03-28 19:18 . 2009-03-28 19:18 -------- d-----w c:\program files\AskPBar
2009-03-28 19:16 . 2009-04-21 20:19 -------- d-----w c:\program files\Mozilla Thunderbird 3 Beta 2
2009-03-28 19:16 . 2009-03-28 19:16 -------- d-----w c:\program files\DIFX
2009-03-28 19:16 . 2006-07-02 05:39 36864 ----a-w c:\windows\system32\drivers\AmdK8.sys
2009-03-28 19:04 . 2009-03-28 19:04 -------- d-----w c:\documents and settings\keith\Local Settings\Application Data\RadarSync
2009-03-28 19:03 . 2009-03-29 21:00 -------- d-----w c:\program files\RadarSync
2009-03-25 16:49 . 2009-03-25 16:49 -------- d-----w c:\documents and settings\keith\Local Settings\Application Data\WinZip
2009-03-25 16:48 . 2009-03-25 16:49 -------- d-----w c:\documents and settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 21:14 . 2008-02-14 00:30 -------- d-----w c:\program files\Trillian
2009-04-21 17:52 . 2008-02-19 20:11 -------- d-----w c:\documents and settings\keith\Application Data\FileZilla
2009-04-21 17:24 . 2009-03-17 18:11 -------- d-----w c:\documents and settings\keith\Application Data\eFileCabinet
2009-04-21 16:22 . 2008-12-09 20:59 848 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-04-21 16:12 . 2008-02-20 17:19 -------- d-----w c:\documents and settings\All Users\Application Data\Zylom
2009-04-21 00:10 . 2008-08-12 20:17 -------- d-----w c:\documents and settings\keith\Application Data\foobar2000
2009-04-20 16:05 . 2008-02-13 23:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 19:40 . 2009-01-05 21:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-14 19:39 . 2008-02-20 16:55 -------- d-----w c:\program files\Java
2009-04-12 17:03 . 2008-02-13 23:53 73120 ----a-w c:\documents and settings\keith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 23:38 . 2008-08-21 17:09 -------- d-----w c:\documents and settings\keith\Application Data\Folding@home-x86
2009-04-11 21:36 . 2008-02-14 00:04 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 16:47 . 2009-01-07 18:21 -------- d-----w c:\documents and settings\keith\Application Data\TeraCopy
2009-04-03 14:41 . 2009-01-02 20:05 -------- d-----w c:\program files\Replay Media Catcher
2009-04-03 00:39 . 2009-01-02 20:07 156672 ----a-w c:\windows\system32\rmc_fixasf.exe
2009-04-03 00:39 . 2009-01-02 20:07 237568 ----a-w c:\windows\system32\rmc_rtspdl.dll
2009-04-03 00:39 . 2009-01-02 20:06 323584 ----a-w c:\windows\system32\AUDIOGENIE2.DLL
2009-03-30 19:19 . 2009-03-21 18:04 44704 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-03-30 19:19 . 2009-02-17 20:07 540000 ----a-w c:\windows\system32\drivers\timntr.sys
2009-03-30 19:18 . 2009-03-21 17:53 -------- d-----w c:\program files\Acronis
2009-03-28 20:41 . 2008-04-09 23:08 -------- d-----w c:\program files\FileZilla Client
2009-03-28 20:02 . 2008-02-14 00:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 19:31 . 2008-02-14 00:13 -------- d-----w c:\program files\Mozilla Thunderbird
2009-03-28 19:29 . 2008-02-14 16:49 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-03-28 19:17 . 2008-02-14 00:19 -------- d-----w c:\documents and settings\keith\Application Data\Thunderbird
2009-03-28 19:14 . 2009-02-03 01:58 -------- d-----w c:\program files\Yahoo!
2009-03-22 18:26 . 2009-03-22 18:26 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-18 21:41 . 2009-03-18 21:40 -------- d-----w c:\program files\RapGet
2009-03-18 21:16 . 2009-03-18 21:16 270539 ----a-w c:\program files\rapget141.rar
2009-03-18 21:02 . 2009-03-18 19:42 -------- d-----w c:\program files\JDownloader
2009-03-17 19:29 . 2008-02-14 00:10 -------- d-----w c:\documents and settings\All Users\Application Data\eFileCabinet
2009-03-17 19:29 . 2009-03-17 19:29 -------- d-----w c:\program files\eFileCabinet 4
2009-03-17 19:28 . 2008-02-14 00:09 -------- d-----w c:\program files\eFileCabinet
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 19:33 . 2008-03-13 16:25 -------- d-----w c:\program files\Citrix
2009-02-21 23:12 . 2009-02-21 23:12 -------- d-----w c:\program files\Windows Installer Clean Up
2009-02-21 23:12 . 2008-02-27 20:06 -------- d-----w c:\program files\MSECache
2009-02-21 00:40 . 2009-02-20 23:07 -------- d-----w c:\program files\AutoStreamer
2009-02-20 08:10 . 2004-08-04 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-06 01:54 . 2008-03-06 01:54 128 -c--a-w c:\documents and settings\keith\Local Settings\Application Data\fusioncache.dat
2008-12-06 00:49 . 2008-02-19 17:50 848 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-21_18.00.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 21:19 . 2009-04-21 21:19 16384 c:\windows\Temp\Perflib_Perfdata_594.dat
+ 2009-04-21 21:20 . 2009-04-21 21:20 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-20 7680000]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-12 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-04-29 115560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-20 86016]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359280]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377232]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-09-20 1617920]

c:\documents and settings\keith\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-6-14 1873536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2008-2-13 25214]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-03 19:33 10536 ----a-w c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\eFileCabinet 4\\Client\\e4Search.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-31 23888]
R3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\DRIVERS\gbridge.sys [2008-07-22 36864]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\DRIVERS\ppa.sys [2001-08-17 17792]
S0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\DRIVERS\snman380.sys [2009-03-30 134272]
S0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\DRIVERS\tdrpm174.sys [2009-03-30 971552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{694c2fa1-f93c-11dd-8c0f-000129f21375}]
\Shell\Shell00\Command - I:\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80f40e5b-c32f-11dd-8bfa-000129f21375}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\nback.job
- D:\nback.bat [2006-05-05 16:16]

2009-04-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-21 05:18]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: {F3736D52-08DD-48F4-BE59-CFC4487E1226} = 10.1.10.1
FF - ProfilePath - c:\documents and settings\keith\Application Data\Mozilla\Firefox\Profiles\gle7i1rg.New User\
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-616249376-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2332)
c:\program files\Trillian\events.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2009-04-21 14:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-21 21:22
ComboFix2.txt 2009-04-21 18:03
ComboFix3.txt 2009-04-13 18:25

Pre-Run: 14,049,595,392 bytes free
Post-Run: 14,038,003,712 bytes free

253 --- E O F --- 2009-04-21 21:03


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:41 PM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202956145453
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3736D52-08DD-48F4-BE59-CFC4487E1226}: NameServer = 10.1.10.1
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 12041 bytes

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:17 AM

Posted 21 April 2009 - 04:57 PM

Hi there,

HijackThis looks good, and that file isn't showing in ComboFix. How is it running? :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users