Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde/Vundo


  • This topic is locked This topic is locked
17 replies to this topic

#1 Target88

Target88

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 14 April 2009 - 10:45 PM

Lots of popups and CPU would max out at 100% every 30 seconds.

Ran malware and virus...Spybot came back with Virtumonde, also some dlls that got flagged (jiwofehu.dll, fogizezu.dll, was another but did not write down)


DDS (Ver_09-03-16.01) - NTFSx86
Run by William Bailey at 22:39:03.39 on Tue 04/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.249 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\PROGRA~1\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\William Bailey\Desktop\dds.scr
C:\WINDOWS\SoftwareDistribution\Download\Install\windows-kb890830-v2.9-delta.exe
c:\581f774d04dba2dd3d\mrtstub.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {55999acd-9104-4023-b951-4864ebc5741e} - c:\windows\system32\tazodavi.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5;

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

-"http://theclonewars.cartoonnetwork.com/games/game_02_ext.html"
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [zBrowser Launcher] c:\progra~1\logitech\itouch\iTouch.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [miwagijone] Rundll32.exe "c:\windows\system32\padamori.dll",s
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRunOnce: [KB923561] rundll32.exe apphelp.dll,ShimFlushCache
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tunnel~1.lnk - c:\windows\installer\{5650a422-0789-473f-b2c7-6c3d10cc9ffb}\Icon079d381e2.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: wachovia.com
Trusted Zone: wachovia.net
Trusted Zone: wachovia.com
Trusted Zone: wachovia.net
DPF: CIPRSNTL - hxxps://ciprs.wachovia.net/ciprsonline/src/CIPRSNTL.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://support.fastaccess.com/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/17.17/uploader2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207801628328
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://myed-nc.wachovia.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\honomige.dll c:\windows\system32\dofodiro.dll c:\windows\system32\fogizezu.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fogizezu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fogizezu.dll
LSA: Notification Packages = scecli c:\windows\system32\dofodiro.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-17 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-13 11608]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-13 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-13 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-13 55640]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2009-4-14 73464]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-2-6 3712]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\smith micro\stuffit 12.0.1\ArcNameService.exe [2008-5-23 157016]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-4-12 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-4-12 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-12 677128]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2003-12-4 24521]
S1 lkbdhlpr;Logitech Keyboard Class Helper Driver;c:\windows\system32\drivers\lkbdhlpr.sys --> c:\windows\system32\drivers\lkbdhlpr.sys [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2004-9-11 26488]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2003-11-13 36960]
S3 Inteaassmapp;Inteaassmapp;c:\windows\system32\drivers\ntfs.sys [2002-8-29 574976]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2003-12-4 155184]
S3 jfdcd;jfdcd;\??\c:\docume~1\willia~1\locals~1\temp\jfdcd.sys --> c:\docume~1\willia~1\locals~1\temp\jfdcd.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2003-11-18 14156]
S3 Rlb3350nicpt;Rlb3350nicpt;c:\windows\system32\drivers\drvmcdb.sys --> c:\windows\system32\drivers\drvmcdb.sys [?]

=============== Created Last 30 ================

2009-04-14 22:38 <DIR> --d----- C:\581f774d04dba2dd3d
2009-04-14 22:38 150 a------- c:\windows\system32\spupdsvc.inf
2009-04-14 22:37 1,374 a------- c:\windows\imsins.BAK
2009-04-14 21:56 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 21:56 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 21:56 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-14 02:02 22,528 a------- c:\windows\system32\wsock32.dlb
2009-04-14 02:02 205,560 a------- c:\windows\UNBOC.EXE
2009-04-14 02:02 212,728 a------- c:\windows\CMDLIC.DLL
2009-04-14 02:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BOC427
2009-04-14 02:02 13,370 a------- c:\windows\BOC427.INI
2009-04-14 02:02 <DIR> --d----- c:\program files\Comodo
2009-04-14 01:25 <DIR> --d----- C:\VundoFix Backups
2009-04-13 22:01 <DIR> --d----- C:\c2dfc0a44bb50409c97ba1
2009-04-13 18:30 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-13 18:30 <DIR> --d----- c:\program files\Avira
2009-04-13 18:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-12 23:17 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-12 23:17 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-12 23:17 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-12 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-04-12 23:02 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-04-12 23:02 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-04-12 23:02 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-04-12 23:02 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-04-12 23:02 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-04-12 02:12 10,520 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-04-12 02:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-09 21:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-24 12:47 359 a------- c:\windows\system32\BDUpdateV1.xml
2009-03-20 14:50 3,358,720 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-04-13 05:49 51,200 a--sh--- c:\windows\system32\zuyajera.exe
2009-04-12 17:51 51,200 a--sh--- c:\windows\system32\regoyivu.exe
2009-04-11 21:51 51,200 a--sh--- c:\windows\system32\nabukeyu.exe
2009-04-11 09:22 51,200 a--sh--- c:\windows\system32\wuyamoba.exe
2009-03-27 02:58 1,203,922 a------- c:\windows\apppatch\SET2E.tmp
2009-03-24 20:37 81,984 a------- c:\windows\system32\bdod.bin
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-11 06:50 179,927 a------- c:\windows\hpwins14.dat
2009-03-06 10:22 284,160 -------- c:\windows\system32\SET73.tmp
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 22:37 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-17 22:35 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-10 21:58 48,336 ac------ c:\docume~1\willia~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 08:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\SET72.tmp
2009-02-09 08:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-04 03:27 3,488,768 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-02-04 01:57 11,702,272 a------- c:\windows\system32\atioglxx.dll
2009-02-04 01:03 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-04 00:56 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-04 00:55 324,096 a------- c:\windows\system32\ati2dvag.dll
2009-02-04 00:44 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-02-04 00:44 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-04 00:43 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-04 00:43 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-04 00:43 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-04 00:41 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-04 00:40 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-04 00:30 3,884,768 a------- c:\windows\system32\ati3duag.dll
2009-02-04 00:14 2,645,504 a------- c:\windows\system32\ativvaxx.dll
2009-02-03 23:58 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-03 23:54 471,040 a------- c:\windows\system32\atikvmag.dll
2009-02-03 23:53 122,880 a------- c:\windows\system32\atiadlxx.dll
2009-02-03 23:52 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-03 23:46 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-03 23:44 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-03 22:43 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-03 22:42 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-03 22:40 3,244,032 a------- c:\windows\system32\aticaldd.dll
2009-02-03 22:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-01-20 02:47 1,984 a------- c:\windows\system32\d3d9caps.dat
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2007-03-22 23:46 66,269 a------- c:\program files\INSTALL.LOG
2007-01-27 12:50 1 a------- c:\documents and settings\william bailey\SI.bin
2005-05-05 23:20 63 ac------ c:\program files\SmartPAR.ini
2002-01-21 23:53 102,400 ac------ c:\program files\SmartPAR.exe
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2007-12-17 08:43 27,648 ---sh--- c:\windows\system32\Smab0.dll
2008-09-05 03:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 22:41:56.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 April 2009 - 12:57 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 16 April 2009 - 10:49 PM

ComboFix 09-04-17.01 - William Bailey 04/16/2009 23:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.534 [GMT -4:00]
Running from: c:\documents and settings\William Bailey\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-15 02:37 . 2009-04-15 02:45 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 01:57 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 01:57 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 01:57 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 01:57 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 01:57 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 01:57 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 01:57 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 01:57 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 01:57 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 01:57 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 01:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 01:56 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 01:56 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 06:02 . 2008-04-14 00:12 22528 ----a-w c:\windows\system32\wsock32.dlb
2009-04-14 06:02 . 2008-07-14 09:09 205560 ----a-w c:\windows\UNBOC.EXE
2009-04-14 06:02 . 2008-07-14 09:09 212728 ----a-w c:\windows\CMDLIC.DLL
2009-04-14 06:02 . 2009-04-17 03:08 -------- d-----w c:\program files\Comodo
2009-04-14 05:25 . 2009-04-14 05:25 -------- d-----w C:\VundoFix Backups
2009-04-14 02:01 . 2009-04-14 03:05 -------- d-----w C:\c2dfc0a44bb50409c97ba1
2009-04-13 22:30 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-13 03:17 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-13 03:17 . 2009-04-02 23:08 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-13 03:17 . 2009-04-02 23:08 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-13 03:16 . 2009-04-13 03:16 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-13 03:02 . 2009-04-13 03:02 661808 ----a-w c:\windows\system32\UfWSC.cpl
2009-04-13 03:02 . 2009-03-06 02:17 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-13 03:02 . 2009-03-06 02:17 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-13 03:02 . 2009-03-06 02:17 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-13 03:02 . 2009-03-03 23:12 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-12 06:12 . 2009-04-12 06:12 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-04-12 06:12 . 2009-04-13 03:14 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-10 01:46 . 2009-04-10 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-24 16:47 . 2009-03-24 19:47 359 ----a-w c:\windows\system32\BDUpdateV1.xml
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 03:03 . 2009-02-18 04:31 28444 ----a-w C:\aaw7boot.log
2009-04-16 21:52 . 2008-11-25 13:00 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 21:52 . 2003-11-22 03:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-15 02:37 . 2003-11-19 04:19 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-15 01:49 . 2006-03-07 02:02 1908 ----a-w C:\VundoFix.txt
2009-04-14 06:22 . 2008-09-03 11:38 -------- d-----w c:\program files\Coupons
2009-04-13 09:49 . 2009-01-13 09:49 51200 --sha-w c:\windows\SYSTEM32\zuyajera.exe
2009-04-13 03:17 . 2006-03-15 03:54 -------- d-----w c:\program files\Trend Micro
2009-04-12 22:03 . 2003-11-12 01:26 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 22:00 . 2008-12-23 23:49 -------- d-----w c:\program files\Norton Security Scan
2009-04-12 21:51 . 2009-01-12 21:51 51200 --sha-w c:\windows\SYSTEM32\regoyivu.exe
2009-04-12 01:51 . 2009-01-12 01:51 51200 --sha-w c:\windows\SYSTEM32\nabukeyu.exe
2009-04-11 13:22 . 2009-01-11 13:22 51200 --sha-w c:\windows\SYSTEM32\wuyamoba.exe
2009-04-10 01:47 . 2006-10-16 01:10 -------- d-----w c:\program files\iTunes
2009-04-10 01:46 . 2005-06-15 00:42 -------- d-----w c:\program files\iPod
2009-04-10 01:46 . 2007-07-10 03:47 -------- d-----w c:\program files\Common Files\Apple
2009-04-03 01:11 . 2008-03-09 23:02 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-04-01 04:59 . 2007-08-23 01:11 -------- d-----w c:\documents and settings\William Bailey\Application Data\Azureus
2009-03-25 00:39 . 2008-07-20 16:16 -------- d-----w c:\program files\Common Files\BitDefender
2009-03-25 00:37 . 2008-07-20 23:20 81984 ----a-w c:\windows\SYSTEM32\bdod.bin
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 20:30 . 2009-03-15 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 20:27 . 2007-08-08 02:02 -------- d-----w c:\program files\Bonjour
2009-03-15 20:25 . 2005-11-18 03:40 -------- d-----w c:\program files\QuickTime
2009-03-12 00:59 . 2009-03-12 00:59 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-03-11 10:50 . 2009-03-01 22:48 179927 ----a-w c:\windows\hpwins14.dat
2009-03-08 06:16 . 2009-03-08 06:11 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-03-08 06:11 . 2008-07-20 16:19 -------- d-----w c:\program files\BitDefender
2009-03-08 05:57 . 2007-02-16 01:08 -------- d-----w c:\program files\Symantec AntiVirus
2009-03-08 05:57 . 2003-11-12 01:26 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 04:02 . 2009-03-05 04:01 594 ----a-w C:\updatedatfix.log
2009-03-05 04:02 . 2009-03-01 22:51 -------- d-----w c:\program files\HP
2009-03-05 02:02 . 2006-03-15 04:31 -------- d-----w c:\documents and settings\William Bailey\Application Data\ICAClient
2009-03-05 01:57 . 2005-03-16 22:19 -------- d-----w c:\program files\Citrix
2009-03-05 01:53 . 2008-07-16 02:02 -------- d-----w c:\documents and settings\William Bailey\Application Data\Juniper Networks
2009-03-05 01:53 . 2009-03-05 01:53 -------- d-----w c:\program files\Juniper Networks
2009-03-04 02:37 . 2009-02-18 02:50 15688 ----a-w c:\windows\SYSTEM32\lsdelete.exe
2009-03-04 00:55 . 2009-03-04 00:27 -------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-03-04 00:30 . 2009-03-04 00:27 -------- d-----w c:\documents and settings\William Bailey\Application Data\ATTToolbar
2009-03-04 00:27 . 2007-01-04 00:56 -------- d-----w c:\program files\Common Files\Motive
2009-03-04 00:27 . 2009-03-04 00:27 -------- d-----w c:\program files\ATTToolbar
2009-03-04 00:25 . 2009-03-03 23:56 -------- d-----w c:\documents and settings\William Bailey\Application Data\Motive
2009-03-03 23:56 . 2009-03-03 23:56 -------- d-----w c:\program files\ATT-HSI
2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-01 22:57 . 2009-03-01 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-01 22:55 . 2009-03-01 22:55 -------- d-----w c:\program files\Common Files\HP
2009-03-01 22:55 . 2009-03-01 22:55 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-01 22:55 . 2009-03-01 22:55 -------- d-----w c:\program files\Hewlett-Packard
2009-03-01 22:54 . 2009-03-01 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-02-28 04:54 . 2006-10-17 17:04 636072 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-26 03:14 . 2003-11-19 00:22 -------- d-----w c:\program files\Palm
2009-02-26 03:11 . 2008-10-23 01:01 -------- d-----w c:\program files\Windows Live
2009-02-25 04:55 . 2003-11-14 00:15 48336 -c--a-w c:\documents and settings\William Bailey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 03:55 . 2009-02-25 03:55 -------- d-----w c:\program files\MSBuild
2009-02-25 03:55 . 2009-02-25 03:55 -------- d-----w c:\program files\Reference Assemblies
2009-02-21 20:11 . 2009-02-21 20:11 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-02-21 20:06 . 2008-11-15 05:51 -------- d-----w c:\program files\ATI Technologies
2009-02-20 10:20 . 2007-05-09 12:47 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 08:26 70656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 08:25 161792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-20 01:35 . 2003-11-15 06:46 -------- d-----w c:\program files\Google
2009-02-18 02:35 . 2009-02-18 02:36 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-18 02:35 . 2009-02-18 02:35 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-18 02:34 . 2006-03-15 01:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-18 02:19 . 2008-08-15 12:47 -------- d-----w c:\program files\Disney Interactive
2009-02-18 02:19 . 2003-11-12 01:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 01:58 . 2004-03-05 01:21 48336 -c--a-w c:\documents and settings\William Bailey\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2002-08-29 11:00 729088 ------w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-04-14 23:27 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ------w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ------w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 11:28 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ------w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2008-10-15 11:27 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ------w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 11:27 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 11:27 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ------w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 11:00 35328 ------w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2008-10-15 11:27 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ------w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-04 07:27 . 2004-03-23 02:59 3488768 ----a-w c:\windows\SYSTEM32\DLLCACHE\ati2mtag.sys
2009-02-04 05:57 . 2008-10-29 02:10 11702272 ----a-w c:\windows\SYSTEM32\atioglxx.dll
2009-02-04 05:03 . 2008-10-29 01:18 290816 ----a-w c:\windows\SYSTEM32\atiok3x2.dll
2009-02-04 04:56 . 2008-10-29 02:23 442368 ----a-w c:\windows\SYSTEM32\ATIDEMGX.dll
2009-02-04 04:55 . 2008-11-15 04:52 324096 ----a-w c:\windows\SYSTEM32\ati2dvag.dll
2009-02-04 04:44 . 2008-10-29 02:11 196608 ----a-w c:\windows\SYSTEM32\atipdlxx.dll
2009-02-04 04:44 . 2008-10-29 02:11 155648 ----a-w c:\windows\SYSTEM32\Oemdspif.dll
2009-02-04 04:43 . 2001-08-20 20:07 26112 ----a-w c:\windows\SYSTEM32\Ati2mdxx.exe
2009-02-04 04:43 . 2008-10-29 02:11 43520 ----a-w c:\windows\SYSTEM32\ati2edxx.dll
2009-02-04 04:43 . 2008-10-29 02:10 155648 ----a-w c:\windows\SYSTEM32\ati2evxx.dll
2009-02-04 04:41 . 2008-10-29 02:09 602112 ----a-w c:\windows\SYSTEM32\ati2evxx.exe
2009-02-04 04:40 . 2008-10-29 02:07 53248 ----a-w c:\windows\SYSTEM32\ATIDDC.DLL
2009-02-04 04:30 . 2008-11-15 04:52 3884768 ----a-w c:\windows\SYSTEM32\ati3duag.dll
2009-02-04 04:14 . 2004-03-23 02:05 2645504 ----a-w c:\windows\SYSTEM32\ativvaxx.dll
2009-02-04 03:58 . 2008-10-29 01:25 49664 ----a-w c:\windows\SYSTEM32\amdpcom32.dll
2009-02-04 03:54 . 2008-10-29 01:21 471040 ----a-w c:\windows\SYSTEM32\atikvmag.dll
2009-02-04 03:53 . 2008-10-29 01:19 122880 ----a-w c:\windows\SYSTEM32\atiadlxx.dll
2008-02-08 02:2008-02-08 02:46 46:38 . c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:2008-02-08 02:46 46:12 . c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:2008-02-08 02:46 46:20 . c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:2008-02-08 02:46 46:16 . c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:2008-02-08 02:46 46:56 . c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:2008-02-08 02:46 46:18 . c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:2008-02-08 02:46 46:36 . c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:2007-03-16 22:27 27:00 . c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:2007-03-16 22:27 27:00 . c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:2007-03-16 22:27 27:00 . c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:2007-07-20 17:47 47:44 . c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:2008-02-08 02:46 46:12 . c:\program files\mozilla firefox\plugins\TcpPServ.dll
2007-10-02 02:20 . 2007-10-02 02:17 24 --sh--w c:\windows\S128A3643.tmp
2006-05-03 09:06 . 2008-05-02 02:34 163328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2008-05-02 02:34 31232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 12:43 . 2008-05-02 02:34 27648 --sh--w c:\windows\SYSTEM32\Smab0.dll
2008-09-05 07:08 . 2008-09-05 07:08 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_21.50.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 03:04 . 2009-04-17 03:04 16384 c:\windows\Temp\Perflib_Perfdata_780.dat
+ 2003-11-12 01:06 . 2009-04-17 03:08 71732 c:\windows\SYSTEM32\PERFC009.DAT
- 2003-11-12 01:06 . 2009-04-16 21:49 71732 c:\windows\SYSTEM32\PERFC009.DAT
+ 2003-11-12 01:06 . 2009-04-17 03:08 442466 c:\windows\SYSTEM32\PERFH009.DAT
- 2003-11-12 01:06 . 2009-04-16 21:49 442466 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55999acd-9104-4023-b951-4864ebc5741e}]
c:\windows\system32\tazodavi.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\SYSTEM32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-07-18 33792]
"zBrowser Launcher"="c:\progra~1\Logitech\iTouch\iTouch.exe" [2002-11-23 631362]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"miwagijone"="c:\windows\system32\padamori.dll" [BU]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 5803368]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-11-11 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
TunnelGuard Tray Monitor.lnk - c:\windows\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2006-3-14 8192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\fogizezu.dll" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.XVID"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DwlClient"=c:\program files\Common Files\Dell\EUSW\Support.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"DVDSentry"=c:\windows\System32\DSentry.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe"
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Nortel Networks\\TunnelGuard\\CueAgent_srv.exe"=
"c:\\Program Files\\edutils\\acted4.exe"=
"c:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"c:\\Program Files\\Taldren\\Starfleet Command II\\StarFleet2.exe"=
"c:\\Documents and Settings\\William Bailey\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3658:TCP"= 3658:TCP:eaGames 3658tcp
"3658:UDP"= 3658:UDP:eaGames 3658udp
"3659:TCP"= 3659:TCP:eaGames 3659tcp
"3659:UDP"= 3659:UDP:eaGames 3659udp
"10070:UDP"= 10070:UDP:eaGamesUDP10070
"10080:UDP"= 10080:UDP:eaGames upd10080
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 lkbdhlpr;Logitech Keyboard Class Helper Driver; [x]
R3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\DRIVERS\alcan5ln.sys [2002-07-31 36960]
R3 Inteaassmapp;Inteaassmapp;c:\windows\system32\drivers\ntfs.sys [2008-04-13 574976]
R3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2005-09-06 155184]
R3 jfdcd;jfdcd; [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2002-11-08 14156]
R3 Rlb3350nicpt;Rlb3350nicpt; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-02-18 64160]
S1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\Drivers\NEOFLTR_600_13073.SYS [2008-04-30 64160]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [2006-06-30 3712]
S2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe [2008-05-23 157016]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2005-09-06 24521]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6112222a-b3ef-11dc-962c-444553544200}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654261680814385

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
c:\program files\Common Files\mscd.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 13:09]

2009-04-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 02:36]

2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-04-13 c:\windows\Tasks\Norton Security Scan for William Bailey.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 00:20]

2009-04-16 c:\windows\Tasks\{3369583B-2D44-4868-A0C5-D926A8A45030}_BATCOMPUTER_William Bailey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]

2009-04-16 c:\windows\Tasks\{49247F9A-B104-4A5B-B0A9-6779CD9E75CE}_BATCOMPUTER_William Bailey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]

2009-03-27 c:\windows\Tasks\{82541F01-BAB9-4329-8F15-BEB05882A871}_BATCOMPUTER_William Bailey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: wachovia.com
Trusted Zone: wachovia.net
Trusted Zone: wachovia.com
Trusted Zone: wachovia.net
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: CIPRSNTL - hxxps://ciprs.wachovia.net/ciprsonline/src/CIPRSNTL.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 23:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1284)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\tabhook.dll
c:\progra~1\Logitech\iTouch\iTchHk.dll
.
Completion time: 2009-04-17 23:39
ComboFix-quarantined-files.txt 2009-04-17 03:39

Pre-Run: 16,718,553,088 bytes free
Post-Run: 16,705,413,120 bytes free

390 --- E O F --- 2009-04-15 02:45

#4 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 16 April 2009 - 10:51 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:19 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.wachovia.net/auth.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: (no name) - {55999acd-9104-4023-b951-4864ebc5741e} - C:\WINDOWS\system32\tazodavi.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [miwagijone] Rundll32.exe "C:\WINDOWS\system32\padamori.dll",s
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\SYSTEM32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://theclonewars.cartoonnetwork.com/games/game_02_ext.html"
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.wachovia.net
O15 - Trusted Zone: *.wachovia.net (HKLM)
O16 - DPF: CIPRSNTL - https://ciprs.wachovia.net/ciprsonline/src/CIPRSNTL.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207801628328
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myed-nc.wachovia.com/dana-cached/se...perSetupSP1.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fogizezu.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe

--
End of file - 15693 bytes

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 April 2009 - 10:54 PM

I see a lot of antivirus entries in the computer.. Tell me, how many antivirus that computer has? Please uninstall all of them (except one).. Just use only one antivirus for each computer..

Please report back to me after you succesfully uninstall all antivirus and leave only one running at the computer :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 16 April 2009 - 11:15 PM

Removed:

Spybot
Ad ware
Avira
Trend Micro
CBOClean

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 April 2009 - 11:21 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
jfdcd
Rlb3350nicpt

File::
c:\windows\S128A3643.tmp
c:\windows\SYSTEM32\zuyajera.exe
c:\windows\SYSTEM32\regoyivu.exe
c:\windows\SYSTEM32\nabukeyu.exe
c:\windows\SYSTEM32\wuyamoba.exe
c:\windows\system32\tazodavi.dll 
c:\windows\system32\padamori.dll
c:\windows\system32\fogizezu.dll

Folder::
c:\program files\Coupons

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55999acd-9104-4023-b951-4864ebc5741e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"miwagijone"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6112222a-b3ef-11dc-962c-444553544200}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 16 April 2009 - 11:21 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 April 2009 - 11:22 PM

Take notes that I just edited my script above :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 16 April 2009 - 11:51 PM

ComboFix 09-04-17.01 - William Bailey 04/17/2009 0:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.598 [GMT -4:00]
Running from: c:\documents and settings\William Bailey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\William Bailey\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\S128A3643.tmp
c:\windows\system32\fogizezu.dll
c:\windows\SYSTEM32\nabukeyu.exe
c:\windows\system32\padamori.dll
c:\windows\SYSTEM32\regoyivu.exe
c:\windows\system32\tazodavi.dll
c:\windows\SYSTEM32\wuyamoba.exe
c:\windows\SYSTEM32\zuyajera.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\uninstall.exe
c:\windows\SYSTEM32\nabukeyu.exe
c:\windows\SYSTEM32\regoyivu.exe
c:\windows\SYSTEM32\wuyamoba.exe
c:\windows\SYSTEM32\zuyajera.exe
c:\windows\S128A3643.tmp . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JFDCD
-------\Legacy_RLB3350NICPT
-------\Service_jfdcd
-------\Service_Rlb3350nicpt


((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-17 04:34 . 2009-04-17 04:34 0 ------w c:\windows\S128A3643.tmp
2009-04-15 02:37 . 2009-04-15 02:45 1374 ----a-w c:\windows\imsins.BAK
2009-04-15 01:57 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 01:57 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 01:57 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 01:57 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 01:57 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 01:57 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 01:57 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 01:57 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 01:57 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 01:57 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 01:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 01:56 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 01:56 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 06:02 . 2008-04-14 00:12 22528 ----a-w c:\windows\system32\wsock32.dlb
2009-04-14 06:02 . 2008-07-14 09:09 205560 ----a-w c:\windows\UNBOC.EXE
2009-04-14 06:02 . 2008-07-14 09:09 212728 ----a-w c:\windows\CMDLIC.DLL
2009-04-14 06:02 . 2009-04-17 03:08 -------- d-----w c:\program files\Comodo
2009-04-14 05:25 . 2009-04-14 05:25 -------- d-----w C:\VundoFix Backups
2009-04-14 02:01 . 2009-04-14 03:05 -------- d-----w C:\c2dfc0a44bb50409c97ba1
2009-04-13 22:30 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-12 06:12 . 2009-04-12 06:12 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-04-12 06:12 . 2009-04-13 03:14 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-10 01:46 . 2009-04-10 01:47 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-24 16:47 . 2009-03-24 19:47 359 ----a-w c:\windows\system32\BDUpdateV1.xml
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-20 18:50 . 2009-03-20 18:50 3358720 ----a-w c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 04:12 . 2006-03-15 03:54 -------- d-----w c:\program files\Trend Micro
2009-04-17 03:54 . 2008-02-10 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-17 03:54 . 2003-11-22 03:07 -------- d-----w c:\program files\Lavasoft
2009-04-17 03:03 . 2009-02-18 04:31 28444 ----a-w C:\aaw7boot.log
2009-04-16 21:52 . 2008-11-25 13:00 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-16 21:52 . 2003-11-22 03:34 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-15 02:37 . 2003-11-19 04:19 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-15 01:49 . 2006-03-07 02:02 1908 ----a-w C:\VundoFix.txt
2009-04-12 22:03 . 2003-11-12 01:26 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-12 22:00 . 2008-12-23 23:49 -------- d-----w c:\program files\Norton Security Scan
2009-04-10 01:47 . 2006-10-16 01:10 -------- d-----w c:\program files\iTunes
2009-04-10 01:46 . 2005-06-15 00:42 -------- d-----w c:\program files\iPod
2009-04-10 01:46 . 2007-07-10 03:47 -------- d-----w c:\program files\Common Files\Apple
2009-04-03 01:11 . 2008-03-09 23:02 -------- d-----w c:\program files\TuneUp Utilities 2008
2009-04-01 04:59 . 2007-08-23 01:11 -------- d-----w c:\documents and settings\William Bailey\Application Data\Azureus
2009-03-25 00:39 . 2008-07-20 16:16 -------- d-----w c:\program files\Common Files\BitDefender
2009-03-25 00:37 . 2008-07-20 23:20 81984 ----a-w c:\windows\SYSTEM32\bdod.bin
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 20:30 . 2009-03-15 20:29 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 20:27 . 2007-08-08 02:02 -------- d-----w c:\program files\Bonjour
2009-03-15 20:25 . 2005-11-18 03:40 -------- d-----w c:\program files\QuickTime
2009-03-12 00:59 . 2009-03-12 00:59 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-03-11 10:50 . 2009-03-01 22:48 179927 ----a-w c:\windows\hpwins14.dat
2009-03-08 06:16 . 2009-03-08 06:11 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-03-08 06:11 . 2008-07-20 16:19 -------- d-----w c:\program files\BitDefender
2009-03-08 05:57 . 2007-02-16 01:08 -------- d-----w c:\program files\Symantec AntiVirus
2009-03-08 05:57 . 2003-11-12 01:26 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-06 14:22 . 2002-08-29 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 04:02 . 2009-03-05 04:01 594 ----a-w C:\updatedatfix.log
2009-03-05 04:02 . 2009-03-01 22:51 -------- d-----w c:\program files\HP
2009-03-05 02:02 . 2006-03-15 04:31 -------- d-----w c:\documents and settings\William Bailey\Application Data\ICAClient
2009-03-05 01:57 . 2005-03-16 22:19 -------- d-----w c:\program files\Citrix
2009-03-05 01:53 . 2008-07-16 02:02 -------- d-----w c:\documents and settings\William Bailey\Application Data\Juniper Networks
2009-03-05 01:53 . 2009-03-05 01:53 -------- d-----w c:\program files\Juniper Networks
2009-03-04 00:55 . 2009-03-04 00:27 -------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2009-03-04 00:30 . 2009-03-04 00:27 -------- d-----w c:\documents and settings\William Bailey\Application Data\ATTToolbar
2009-03-04 00:27 . 2007-01-04 00:56 -------- d-----w c:\program files\Common Files\Motive
2009-03-04 00:27 . 2009-03-04 00:27 -------- d-----w c:\program files\ATTToolbar
2009-03-04 00:25 . 2009-03-03 23:56 -------- d-----w c:\documents and settings\William Bailey\Application Data\Motive
2009-03-03 23:56 . 2009-03-03 23:56 -------- d-----w c:\program files\ATT-HSI
2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-01 22:57 . 2009-03-01 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-01 22:55 . 2009-03-01 22:55 -------- d-----w c:\program files\Common Files\HP
2009-03-01 22:55 . 2009-03-01 22:55 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-01 22:55 . 2009-03-01 22:55 -------- d-----w c:\program files\Hewlett-Packard
2009-03-01 22:54 . 2009-03-01 22:54 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-02-28 04:54 . 2006-10-17 17:04 636072 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-26 03:14 . 2003-11-19 00:22 -------- d-----w c:\program files\Palm
2009-02-26 03:11 . 2008-10-23 01:01 -------- d-----w c:\program files\Windows Live
2009-02-25 04:55 . 2003-11-14 00:15 48336 -c--a-w c:\documents and settings\William Bailey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 03:55 . 2009-02-25 03:55 -------- d-----w c:\program files\MSBuild
2009-02-25 03:55 . 2009-02-25 03:55 -------- d-----w c:\program files\Reference Assemblies
2009-02-21 20:11 . 2009-02-21 20:11 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-02-21 20:06 . 2008-11-15 05:51 -------- d-----w c:\program files\ATI Technologies
2009-02-20 10:20 . 2007-05-09 12:47 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2006-11-07 08:26 70656 ----a-w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2006-11-07 08:25 161792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-20 01:35 . 2003-11-15 06:46 -------- d-----w c:\program files\Google
2009-02-18 02:35 . 2009-02-18 02:36 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-18 02:34 . 2006-03-15 01:37 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-18 02:19 . 2008-08-15 12:47 -------- d-----w c:\program files\Disney Interactive
2009-02-18 02:19 . 2003-11-12 01:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 01:58 . 2004-03-05 01:21 48336 -c--a-w c:\documents and settings\William Bailey\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 12:10 . 2002-08-29 11:00 729088 ------w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-04-14 23:27 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 11:00 714752 ------w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 11:00 617472 ------w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 11:28 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 11:00 1846784 ------w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2008-10-15 11:27 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 11:00 110592 ------w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-15 11:27 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 11:27 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 11:06 . 1980-01-01 06:00 2145280 ------w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 11:00 35328 ------w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:32 . 2008-10-15 11:27 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 10:32 . 1980-01-01 06:00 2023936 ------w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-04 07:27 . 2004-03-23 02:59 3488768 ----a-w c:\windows\SYSTEM32\DLLCACHE\ati2mtag.sys
2009-02-04 05:57 . 2008-10-29 02:10 11702272 ----a-w c:\windows\SYSTEM32\atioglxx.dll
2009-02-04 05:03 . 2008-10-29 01:18 290816 ----a-w c:\windows\SYSTEM32\atiok3x2.dll
2009-02-04 04:56 . 2008-10-29 02:23 442368 ----a-w c:\windows\SYSTEM32\ATIDEMGX.dll
2009-02-04 04:55 . 2008-11-15 04:52 324096 ----a-w c:\windows\SYSTEM32\ati2dvag.dll
2009-02-04 04:44 . 2008-10-29 02:11 196608 ----a-w c:\windows\SYSTEM32\atipdlxx.dll
2009-02-04 04:44 . 2008-10-29 02:11 155648 ----a-w c:\windows\SYSTEM32\Oemdspif.dll
2009-02-04 04:43 . 2001-08-20 20:07 26112 ----a-w c:\windows\SYSTEM32\Ati2mdxx.exe
2009-02-04 04:43 . 2008-10-29 02:11 43520 ----a-w c:\windows\SYSTEM32\ati2edxx.dll
2009-02-04 04:43 . 2008-10-29 02:10 155648 ----a-w c:\windows\SYSTEM32\ati2evxx.dll
2009-02-04 04:41 . 2008-10-29 02:09 602112 ----a-w c:\windows\SYSTEM32\ati2evxx.exe
2009-02-04 04:40 . 2008-10-29 02:07 53248 ----a-w c:\windows\SYSTEM32\ATIDDC.DLL
2009-02-04 04:30 . 2008-11-15 04:52 3884768 ----a-w c:\windows\SYSTEM32\ati3duag.dll
2009-02-04 04:14 . 2004-03-23 02:05 2645504 ----a-w c:\windows\SYSTEM32\ativvaxx.dll
2009-02-04 03:58 . 2008-10-29 01:25 49664 ----a-w c:\windows\SYSTEM32\amdpcom32.dll
2009-02-04 03:54 . 2008-10-29 01:21 471040 ----a-w c:\windows\SYSTEM32\atikvmag.dll
2009-02-04 03:53 . 2008-10-29 01:19 122880 ----a-w c:\windows\SYSTEM32\atiadlxx.dll
2009-02-04 03:52 . 2008-10-29 01:19 17408 ----a-w c:\windows\SYSTEM32\atitvo32.dll
2009-02-04 03:46 . 2004-03-23 01:45 626688 ----a-w c:\windows\SYSTEM32\ati2cqag.dll
2009-02-04 03:44 . 2002-01-11 02:50 307200 ----a-w c:\windows\SYSTEM32\atiiiexx.dll
2009-02-04 02:43 . 2009-02-04 02:43 45056 ----a-w c:\windows\SYSTEM32\aticalrt.dll
2009-02-04 02:42 . 2009-02-04 02:42 45056 ----a-w c:\windows\SYSTEM32\aticalcl.dll
2008-02-08 02:2008-02-08 02:46 46:38 . c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:2008-02-08 02:46 46:12 . c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:2008-02-08 02:46 46:20 . c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:2008-02-08 02:46 46:16 . c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:2008-02-08 02:46 46:56 . c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:2008-02-08 02:46 46:18 . c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:2008-02-08 02:46 46:36 . c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:2007-03-16 22:27 27:00 . c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:2007-03-16 22:27 27:00 . c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:2007-03-16 22:27 27:00 . c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:2007-07-20 17:47 47:44 . c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:2008-02-08 02:46 46:12 . c:\program files\mozilla firefox\plugins\TcpPServ.dll
2006-05-03 09:06 . 2008-05-02 02:34 163328 --sh--r c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2008-05-02 02:34 31232 --sh--r c:\windows\SYSTEM32\msfDX.dll
2007-12-17 12:43 . 2008-05-02 02:34 27648 --sh--w c:\windows\SYSTEM32\Smab0.dll
2008-09-05 07:08 . 2008-09-05 07:08 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-16_21.50.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 04:34 . 2009-04-17 04:34 16384 c:\windows\Temp\Perflib_Perfdata_624.dat
+ 2003-11-12 01:06 . 2009-04-17 04:17 71732 c:\windows\SYSTEM32\PERFC009.DAT
- 2003-11-12 01:06 . 2009-04-16 21:49 71732 c:\windows\SYSTEM32\PERFC009.DAT
+ 2003-11-12 01:06 . 2009-04-17 04:17 442466 c:\windows\SYSTEM32\PERFH009.DAT
- 2003-11-12 01:06 . 2009-04-16 21:49 442466 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\SYSTEM32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2000-07-18 33792]
"zBrowser Launcher"="c:\progra~1\Logitech\iTouch\iTouch.exe" [2002-11-23 631362]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 5803368]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-11-11 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
TunnelGuard Tray Monitor.lnk - c:\windows\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2006-3-14 8192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.XVID"= xvid.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DwlClient"=c:\program files\Common Files\Dell\EUSW\Support.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"DVDSentry"=c:\windows\System32\DSentry.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe"
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\Nortel Networks\\TunnelGuard\\CueAgent_srv.exe"=
"c:\\Program Files\\edutils\\acted4.exe"=
"c:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\j2re1.4.2\\bin\\javaw.exe"=
"c:\\Program Files\\Taldren\\Starfleet Command II\\StarFleet2.exe"=
"c:\\Documents and Settings\\William Bailey\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3658:TCP"= 3658:TCP:eaGames 3658tcp
"3658:UDP"= 3658:UDP:eaGames 3658udp
"3659:TCP"= 3659:TCP:eaGames 3659tcp
"3659:UDP"= 3659:UDP:eaGames 3659udp
"10070:UDP"= 10070:UDP:eaGamesUDP10070
"10080:UDP"= 10080:UDP:eaGames upd10080
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 lkbdhlpr;Logitech Keyboard Class Helper Driver; [x]
R3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\DRIVERS\alcan5ln.sys [2002-07-31 36960]
R3 Inteaassmapp;Inteaassmapp;c:\windows\system32\drivers\ntfs.sys [2008-04-13 574976]
R3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2005-09-06 155184]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2002-11-08 14156]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-02-18 64160]
S1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\Drivers\NEOFLTR_600_13073.SYS [2008-04-30 64160]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys [2006-06-30 3712]
S2 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe [2008-05-23 157016]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2005-09-06 24521]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
c:\program files\Common Files\mscd.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 13:09]

2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-04-13 c:\windows\Tasks\Norton Security Scan for William Bailey.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 00:20]

2009-04-16 c:\windows\Tasks\{3369583B-2D44-4868-A0C5-D926A8A45030}_BATCOMPUTER_William Bailey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]

2009-04-16 c:\windows\Tasks\{49247F9A-B104-4A5B-B0A9-6779CD9E75CE}_BATCOMPUTER_William Bailey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]

2009-03-27 c:\windows\Tasks\{82541F01-BAB9-4329-8F15-BEB05882A871}_BATCOMPUTER_William Bailey.job
- c:\windows\system32\mobsync.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: wachovia.com
Trusted Zone: wachovia.net
Trusted Zone: wachovia.com
Trusted Zone: wachovia.net
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: CIPRSNTL - hxxps://ciprs.wachovia.net/ciprsonline/src/CIPRSNTL.cab
DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 00:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2556)
c:\windows\system32\tabhook.dll
c:\progra~1\Logitech\iTouch\iTchHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\SYSTEM32\PSIService.exe
c:\windows\SYSTEM32\Tablet.exe
c:\program files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-04-17 0:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-17 04:44
ComboFix2.txt 2009-04-17 03:39

Pre-Run: 17,102,884,864 bytes free
Post-Run: 17,099,141,120 bytes free

407 --- E O F --- 2009-04-15 02:45

#10 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 16 April 2009 - 11:52 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:45 AM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.wachovia.net/auth.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\SYSTEM32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://theclonewars.cartoonnetwork.com/games/game_02_ext.html"
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.wachovia.net
O15 - Trusted Zone: *.wachovia.net (HKLM)
O16 - DPF: CIPRSNTL - https://ciprs.wachovia.net/ciprsonline/src/CIPRSNTL.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/17.17/uploader2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207801628328
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://myed-nc.wachovia.com/dana-cached/se...perSetupSP1.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Standar...aller_4-2-0.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt 12.0.1\ArcNameService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe

--
End of file - 14538 bytes

#11 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 16 April 2009 - 11:55 PM

I took note...

YOUR AWESOME! This is matrix stuff to me.

Just give me the blue pill and let me think my world is real.

Edited by Target88, 17 April 2009 - 12:02 AM.


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 April 2009 - 01:21 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 17 April 2009 - 11:21 PM

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600 Service Pack 3

4/18/2009 12:16:21 AM
mbam-log-2009-04-18 (00-16-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 284442
Time elapsed: 59 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Fonts\AquilineTwo.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\jane_austen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\wade.zip (Worm.Archive) -> Quarantined and deleted successfully.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 April 2009 - 11:27 PM

Lets do one more scan to make sure we get them all..


Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Target88

Target88
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 17 April 2009 - 11:56 PM

Thank you.
Thank you.
Thank you.

Running great!! Your directions and help have been spot on!

No dragging, no wierdness, no pop ups.


I am starting the Kaspersky after this post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users