Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help removing core.cache.dsk


  • This topic is locked This topic is locked
14 replies to this topic

#1 jwlight

jwlight

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 21 April 2009 - 11:52 AM

Thanks in advance for any input.

Hope this has the info needed.


DDS (Ver_09-03-16.01) - NTFSx86
Run by jwalker at 12:39:57.98 on Tue 04/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1648 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jwalker\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBAMTray] c:\program files\sunbelt software\sbeagent\SBAMTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206985169699
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL

============= SERVICES / DRIVERS ===============

R0 DF2K;UltraBac Locked File Backup Driver;c:\windows\system32\drivers\df2k.sys [2006-8-17 135381]
R1 drvnddmm;drvnddmm;c:\windows\system32\drivers\drvnddmm.sys [2008-3-24 86016]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-1-7 202928]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2009-3-18 894248]
S2 Cadence License Manager;Cadence License Manager;c:\orcad\license_manager\lmgrd.exe [2007-9-21 608768]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2007-7-27 320384]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-22 92464]
S3 UBMS;UltraBac Management Service;"c:\program files\ultrabac software\ultrabac8\ubms.exe" --> c:\program files\ultrabac software\ultrabac8\ubms.exe [?]

=============== Created Last 30 ================

2009-04-21 12:02 <DIR> --d----- c:\program files\Trend Micro
2009-04-21 11:39 <DIR> --d----- c:\temp\tn3
2009-04-20 15:27 167,976 -------- c:\windows\system32\drivers\core.cache.dsk
2009-04-20 15:21 <DIR> a-dshr-- C:\cmdcons
2009-04-20 15:20 161,792 a------- c:\windows\SWREG.exe
2009-04-20 15:20 98,816 a------- c:\windows\sed.exe
2009-04-20 10:39 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-20 10:39 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-20 10:39 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-20 10:39 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-20 10:39 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-20 10:39 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-20 10:39 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-20 10:39 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-20 10:39 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-20 10:38 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-20 10:38 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-20 10:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-03-27 12:39 21,648 a------- c:\windows\system\CTL3DV2.DLL
2009-03-27 12:39 <DIR> --d----- C:\FORD

==================== Find3M ====================

2009-03-18 06:00 65,320 a------- c:\windows\system32\sbbd.exe
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2005-07-29 17:24 472 a--shr-- c:\windows\qwrtaw4\kqlQuqb.vbs
2008-12-08 11:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120820081209\index.dat

============= FINISH: 12:40:12.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 22 April 2009 - 02:52 PM

Hi jwlight,

My name is Syler and I will be helping you to clean your computer, please give me some time
to look over your logs and I will get back to you as soon as possible.

Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 22 April 2009 - 05:45 PM

Hi jwlight

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


Before you do any of the next step you need to temporarily disable the TeaTimer protection in spybot, as it may
stop the tools we use from doing their job.

To disable Teatimer, open Spybot and click on the Mode tab and select Advanced mode.
It will ask you if your sure you want to go into advanced mode, select yes.
Now go to tools and click on the resident tab.
Uncheck the box that says "Resident "TeaTimer" (Protection of over-all system settings) active".
Then close Spybot and reboot your computer.

Next

We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please post back here with:
  • ComboFix.txt
  • MBAM report
  • Both Rsit logs
Thanks

unite.jpg


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 25 April 2009 - 01:02 PM

Hi jwlight, can you let me no if you still require my help?

unite.jpg


#5 jwlight

jwlight
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 27 April 2009 - 07:39 AM

I think it's better now. I can run scandisk anf defrag now and no explorer pop ups.
Do you think I need to do anything else?

Logfile of random's system information tool 1.06 (written by random/random)
Run by jwalker at 2009-04-23 15:37:31
Microsoft Windows XP Professional Service Pack 3
System drive C: has 131 GB (86%) free of 153 GB
Total RAM: 2046 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:44 PM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mstsc.exe
C:\Documents and Settings\jwalker\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\jwalker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206985169699
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.lightwave.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.lightwave.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.lightwave.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = corporate.lightwave.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cadence License Manager - GLOBEtrotter Software Inc. - C:\OrCAD\license_manager\lmgrd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
O23 - Service: UltraBac Management Service (UBMS) - Unknown owner - C:\Program Files\UltraBac Software\UltraBac8\ubms.exe (file missing)

--
End of file - 5834 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-13 122939]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-10-12 57344]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2004-01-07 110592]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-04-25 139264]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SBAMTray"=C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe [2009-03-18 664872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SBAMSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

======List of files/folders created in the last 1 months======

2009-04-23 15:37:31 ----D---- C:\rsit
2009-04-23 15:27:02 ----SHD---- C:\RECYCLER
2009-04-23 13:49:10 ----D---- C:\WINDOWS\temp
2009-04-23 13:49:09 ----A---- C:\ComboFix.txt
2009-04-23 13:42:50 ----D---- C:\ComboFix
2009-04-23 13:40:02 ----D---- C:\Documents and Settings\jwalker\Application Data\Malwarebytes
2009-04-23 13:39:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-23 13:39:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-21 12:02:58 ----D---- C:\Program Files\Trend Micro
2009-04-21 10:04:26 ----SHD---- C:\Config.Msi
2009-04-21 09:33:35 ----D---- C:\Documents and Settings\jwalker\Application Data\Google
2009-04-20 15:21:46 ----A---- C:\Boot.bak
2009-04-20 15:21:41 ----RASHD---- C:\cmdcons
2009-04-20 15:20:31 ----A---- C:\WINDOWS\zip.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\vFind.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\SWREG.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\sed.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\grep.exe
2009-04-20 15:20:30 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-20 15:20:30 ----A---- C:\WINDOWS\SWSC.exe
2009-04-20 15:20:12 ----D---- C:\WINDOWS\ERDNT
2009-04-20 15:20:10 ----D---- C:\Qoobox
2009-04-20 10:44:07 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-20 10:44:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-20 10:42:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-20 10:42:43 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-20 10:42:39 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-20 10:42:33 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-20 10:38:45 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-03-27 12:39:12 ----D---- C:\FORD

======List of files/folders modified in the last 1 months======

2009-04-23 15:37:21 ----D---- C:\WINDOWS\Prefetch
2009-04-23 15:32:26 ----D---- C:\Temp
2009-04-23 14:58:43 ----D---- C:\WINDOWS\security
2009-04-23 14:45:07 ----D---- C:\WINDOWS\system32\drivers
2009-04-23 14:45:07 ----D---- C:\WINDOWS
2009-04-23 14:44:16 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-23 14:41:46 ----D---- C:\WINDOWS\system32
2009-04-23 13:48:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-23 13:46:56 ----N---- C:\WINDOWS\system.ini
2009-04-23 13:44:30 ----D---- C:\WINDOWS\AppPatch
2009-04-23 13:44:29 ----D---- C:\Program Files\Common Files
2009-04-23 13:39:57 ----RD---- C:\Program Files
2009-04-21 14:40:04 ----D---- C:\Documents and Settings\jwalker\Application Data\Adobe
2009-04-21 10:07:01 ----D---- C:\WINDOWS\WinSxS
2009-04-21 10:07:00 ----SHD---- C:\WINDOWS\Installer
2009-04-21 10:06:33 ----D---- C:\Program Files\Mozilla Firefox
2009-04-21 10:06:11 ----D---- C:\Program Files\Java
2009-04-21 10:05:02 ----D---- C:\WINDOWS\Registration
2009-04-21 10:04:39 ----D---- C:\Program Files\Internet Explorer
2009-04-21 10:03:20 ----D---- C:\Program Files\Common Files\Adobe
2009-04-21 10:03:20 ----D---- C:\Program Files\Adobe
2009-04-21 09:50:17 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-21 09:48:44 ----D---- C:\Program Files\Google
2009-04-21 09:44:53 ----D---- C:\Apps
2009-04-21 09:35:32 ----D---- C:\Python24
2009-04-21 09:34:50 ----D---- C:\Documents and Settings\jwalker\Application Data\Move Networks
2009-04-21 09:34:04 ----D---- C:\WINDOWS\Help
2009-04-21 09:30:01 ----D---- C:\WINDOWS\Minidump
2009-04-20 15:25:58 ----D---- C:\WINDOWS\system32\config
2009-04-20 15:21:46 ----RASH---- C:\boot.ini
2009-04-20 13:19:33 ----A---- C:\WINDOWS\wininit.ini
2009-04-20 12:36:47 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-20 10:50:43 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-20 10:46:14 ----D---- C:\WINDOWS\system32\wbem
2009-04-20 10:44:09 ----HD---- C:\WINDOWS\inf
2009-04-20 10:44:05 ----A---- C:\WINDOWS\imsins.BAK
2009-04-20 10:43:56 ----D---- C:\WINDOWS\system32\en-US
2009-04-20 10:42:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-06 10:57:24 ----A---- C:\WINDOWS\system32\MRT.exe
2009-03-30 10:03:33 ----RSD---- C:\WINDOWS\Fonts
2009-03-30 10:03:33 ----D---- C:\WINDOWS\system
2009-03-27 12:39:12 ----N---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 sbtis;sbtis; C:\WINDOWS\system32\drivers\sbtis.sys [2008-10-09 202928]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-12 12032]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2005-07-25 8413]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2004-07-12 645360]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2004-08-05 366384]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2004-07-12 6096]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2004-07-12 130288]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2004-07-12 145488]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2004-08-12 904752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2004-03-05 1233525]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2004-03-05 647929]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2004-06-15 61157]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mohfilt;mohfilt; C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2004-03-05 37048]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2004-07-12 178672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2005-11-16 333620]
S1 drvnddmm;drvnddmm; C:\WINDOWS\System32\drivers\drvnddmm.sys []
S2 DS1410D;DS1410D; C:\WINDOWS\SYSTEM32\drivers\DS1410D.SYS []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2003-11-12 333600]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2004-07-12 148432]
S3 mgau;mgau; C:\WINDOWS\system32\DRIVERS\mgaum.sys [2001-08-17 320384]
S3 SBRE;SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-06-14 104576]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]
R2 IAANTMon;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-04-25 86142]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2005-01-19 516096]
S2 Cadence License Manager;Cadence License Manager; C:\OrCAD\license_manager\lmgrd.exe [2002-08-09 608768]
S2 SBAMSvc;VIPRE Enterprise Agent; C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe [2009-03-18 894248]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UBMS;UltraBac Management Service; C:\Program Files\UltraBac Software\UltraBac8\ubms.exe []
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------



info.txt logfile of random's system information tool 1.06 2009-04-23 15:37:45

======Uninstall list======

-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE6699B3-E5AD-4E59-8F2B-207DF630670C}\setup.exe" -l0x9 /remove
Adobe Acrobat 6.0.1 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk MapGuide® Viewer ActiveX Control Release 6.3-->MsiExec.exe /I{ECD94AA1-D865-4EF4-8F7C-5AA68D37ABE9}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom Gigabit Integrated Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Cadence Allegro Free Physical Viewer 15.7-->MsiExec.exe /I{865E2636-CFB9-4D7F-BF50-98161A1478B7}
Cadence License Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C0816B0-3CBA-4936-8BF7-FF469D1B07F5}\Setup.exe" -l0x9 Uninstall
Convert-->MsiExec.exe /X{23970E31-948B-466E-8376-1224D32FDF0C}
Creative MediaSource-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\SETUP.EXE" -l0x9 /remove
Crystal10-->MsiExec.exe /I{91FD3E1D-FE00-4ECB-8379-204704812A9D}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HyperTerminal Private Edition v6.3-->C:\WINDOWS\system32\Unwise32.exe /Z C:\PROGRA~1\WINDOW~1\HYPERT~1\Install.log
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
MobileMe Control Panel-->MsiExec.exe /I{A14C24F6-615B-415E-84B0-610FDAD19B68}
PowerDVD 5.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Release OrCAD 10.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEEF7B2C-FE9A-492D-820B-EBCAB0927D3D}\Setup.exe" -l0x9 Uninstall
Safari-->MsiExec.exe /I{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}
SAP Front End-->"C:\Program Files\SAP\FrontEnd\setup\sapsetup.exe" /uninstall
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD-->MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

=====HijackThis Backups=====

O23 - Service: UltraBac Management Service (UBMS) - Unknown owner - C:\Program Files\UltraBac Software\UltraBac8\ubms.exe (file missing) [2009-04-21]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) [2009-04-21]
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) [2009-04-21]

======Security center information======

AV: Sunbelt VIPRE (disabled)

======System event log======

Computer Name: MPALITTO2
Event Code: 40961
Message: The Security System could not establish a secured connection with the server ldap/dc.corporate.lightwave.com/corporate.lightwave.com@corporate.lightwave.com. No authentication protocol was available.

Record Number: 5208
Source Name: LSASRV
Time Written: 20060112224947.000000-300
Event Type: warning
User:

Computer Name: MPALITTO2
Event Code: 40961
Message: The Security System could not establish a secured connection with the server ldap/dc.corporate.lightwave.com/corporate.lightwave.com@corporate.lightwave.com. No authentication protocol was available.

Record Number: 5207
Source Name: LSASRV
Time Written: 20060112205647.000000-300
Event Type: warning
User:

Computer Name: MPALITTO2
Event Code: 40961
Message: The Security System could not establish a secured connection with the server ldap/dc.corporate.lightwave.com/corporate.lightwave.com@corporate.lightwave.com. No authentication protocol was available.

Record Number: 5206
Source Name: LSASRV
Time Written: 20060112191147.000000-300
Event Type: warning
User:

Computer Name: MPALITTO2
Event Code: 3019
Message: The redirector failed to determine the connection type.

Record Number: 5205
Source Name: MRxSmb
Time Written: 20060112151509.000000-300
Event Type: warning
User:

Computer Name: MPALITTO2
Event Code: 40961
Message: The Security System could not establish a secured connection with the server ldap/dc.corporate.lightwave.com/corporate.lightwave.com@corporate.lightwave.com. No authentication protocol was available.

Record Number: 5204
Source Name: LSASRV
Time Written: 20060112140817.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: MPALITTO2
Event Code: 1030
Message: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Record Number: 2503
Source Name: Userenv
Time Written: 20050820234145.000000-240
Event Type: error
User: CORPORATE\MPalitto

Computer Name: MPALITTO2
Event Code: 1030
Message: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Record Number: 2502
Source Name: Userenv
Time Written: 20050820220145.000000-240
Event Type: error
User: CORPORATE\MPalitto

Computer Name: MPALITTO2
Event Code: 1030
Message: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Record Number: 2501
Source Name: Userenv
Time Written: 20050820203045.000000-240
Event Type: error
User: CORPORATE\MPalitto

Computer Name: MPALITTO2
Event Code: 1030
Message: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Record Number: 2500
Source Name: Userenv
Time Written: 20050820184545.000000-240
Event Type: error
User: CORPORATE\MPalitto

Computer Name: MPALITTO2
Event Code: 1030
Message: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

Record Number: 2499
Source Name: Userenv
Time Written: 20050820170545.000000-240
Event Type: error
User: CORPORATE\MPalitto

======Environment variables======

"CDS_LIC_FILE"=5280@englic
"CDSROOT"=C:\OrCAD\OrCAD_10.3
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"LM_LICENSE_FILE"=7588@muon;7166@TRACKRECORD
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\PROGRA~1\COMMON~1\SONICS~1;V:\BIN;C:\OrCAD\OrCAD_10.3\tools\bin;C:\OrCAD\OrCAD_10.3\tools\fet\bin;C:\OrCAD\OrCAD_10.3\tools\Capture;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=0401
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 27 April 2009 - 12:49 PM

Where is ComboFix.txt and the MBAM log I asked you to post?

unite.jpg


#7 jwlight

jwlight
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 27 April 2009 - 02:38 PM

Sorry

ComboFix 09-04-23.A3 - jwalker 04/23/2009 13:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1494 [GMT -4:00]
Running from: c:\documents and settings\jwalker\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-23 17:46 . 2009-04-23 17:46 -------- d-----w c:\temp\tn3
2009-04-20 14:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-20 14:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-20 14:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-20 14:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-20 14:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-20 14:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-20 14:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-20 14:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-20 14:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-20 14:38 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-20 14:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-20 14:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-03-27 16:39 . 2009-03-27 16:39 21648 ----a-w c:\windows\system\CTL3DV2.DLL
2009-03-27 16:39 . 2009-03-27 16:39 -------- d-----w C:\FORD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 17:45 . 2009-04-20 19:27 932 ------w c:\windows\system32\drivers\core.cache.dsk
2009-04-23 17:40 . 2009-04-23 17:40 -------- d-----w c:\documents and settings\jwalker\Application Data\Malwarebytes
2009-04-23 17:40 . 2009-04-23 17:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 17:39 . 2009-04-23 17:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 16:02 . 2009-04-21 16:02 -------- d-----w c:\program files\Trend Micro
2009-04-21 14:06 . 2005-04-04 19:52 -------- d-----w c:\program files\Java
2009-04-21 14:03 . 2005-03-10 15:44 -------- d-----w c:\program files\Common Files\Adobe
2009-04-21 13:48 . 2005-03-19 00:54 -------- d-----w c:\program files\Google
2009-04-21 13:34 . 2009-02-19 16:08 -------- d-----w c:\documents and settings\jwalker\Application Data\Move Networks
2009-04-20 16:36 . 2008-03-24 20:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 19:32 . 2009-04-23 17:39 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-23 17:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-18 10:00 . 2009-03-18 10:00 65320 ----a-w c:\windows\system32\sbbd.exe
2009-03-09 09:19 . 2008-12-01 14:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 18:19 . 2008-10-21 19:24 -------- d-----w c:\documents and settings\jwalker\Application Data\AdobeUM
2009-03-06 14:22 . 2004-08-12 13:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-12 13:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 17:09 . 2009-02-24 17:09 -------- d-----w c:\program files\Common Files\INCA Shared
2009-02-24 16:55 . 2009-02-24 16:55 -------- d-----w c:\program files\Gpotato
2009-02-20 18:09 . 2004-08-12 13:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-12 13:21 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-12 13:27 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-12 13:25 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-12 13:17 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-12 13:33 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-12 13:28 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-12 13:25 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-12 13:27 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-12 13:28 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-06 21:20 . 2007-09-24 19:26 51144 ------w c:\documents and settings\jwalker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-26 18:20 . 2008-11-26 18:20 130 ------w c:\documents and settings\jwalker\Local Settings\Application Data\fusioncache.dat
2005-02-25 16:35 . 2005-02-25 16:35 48360 ------w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-02-22 15:05 . 2005-02-22 15:05 12328 ------w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 21:24 . 2008-03-24 17:50 472 --sha-r c:\windows\QWRtaW4\kqlQuqb.vbs
2008-12-08 15:36 . 2008-12-08 15:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120820081209\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_19.28.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-12 13:26 . 2009-04-21 14:04 40836 c:\windows\system32\perfc009.dat
+ 2005-02-22 12:47 . 2004-08-12 13:23 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2008-01-18 15:13 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-01-18 15:13 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut25.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut24.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut23.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut22.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut21.bat
+ 2004-08-12 13:26 . 2009-04-21 14:04 314508 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-03-18 664872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe"
"UIUCU"=c:\docume~1\Admin\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Cadence License Manager;Cadence License Manager;c:\orcad\license_manager\lmgrd.exe [2002-08-09 608768]
R3 mgau;mgau;c:\windows\system32\DRIVERS\mgaum.sys [2001-08-17 320384]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2008-10-22 92464]
R3 UBMS;UltraBac Management Service; [x]
S0 DF2K;UltraBac Locked File Backup Driver;c:\windows\system32\drivers\df2k.sys [2006-08-17 135381]
S1 drvnddmm;drvnddmm;c:\windows\system32\drivers\drvnddmm.sys [2008-03-24 86016]
S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-10-09 202928]
S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [2009-03-18 894248]

.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 13:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(852)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3576)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-23 13:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 17:49
ComboFix2.txt 2009-04-21 15:41
ComboFix3.txt 2009-04-20 19:30

Pre-Run: 136,879,210,496 bytes free
Post-Run: 136,880,037,888 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
178 --- E O F --- 2009-04-20 14:44

Malwarebytes' Anti-Malware 1.36
Database version: 2032
Windows 5.1.2600 Service Pack 3

4/27/2009 3:37:45 PM
mbam-log-2009-04-27 (15-37-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200553
Time elapsed: 26 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 27 April 2009 - 04:16 PM

Your MBAM log looks clean but your others don't but since they are a few days old I need a new one.
Please post back with a new Rsit log then we can start to clean up.

Cheers

unite.jpg


#9 jwlight

jwlight
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 28 April 2009 - 08:21 AM

Thanks again!

Logfile of random's system information tool 1.06 (written by random/random)
Run by jwalker at 2009-04-28 09:17:27
Microsoft Windows XP Professional Service Pack 3
System drive C: has 130 GB (85%) free of 153 GB
Total RAM: 2046 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:33 AM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\jwalker\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\jwalker.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206985169699
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corporate.lightwave.com
O17 - HKLM\Software\..\Telephony: DomainName = corporate.lightwave.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corporate.lightwave.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = corporate.lightwave.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cadence License Manager - GLOBEtrotter Software Inc. - C:\OrCAD\license_manager\lmgrd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
O23 - Service: UltraBac Management Service (UBMS) - Unknown owner - C:\Program Files\UltraBac Software\UltraBac8\ubms.exe (file missing)

--
End of file - 5754 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-08-25 339968]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-13 122939]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-10-12 57344]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2004-01-07 110592]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-04-25 139264]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"SBAMTray"=C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe [2009-04-22 664872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SBAMSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
shell\AutoRun\command - I:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-04-23 15:37:31 ----D---- C:\rsit
2009-04-23 15:27:02 ----SHD---- C:\RECYCLER
2009-04-23 13:49:10 ----D---- C:\WINDOWS\temp
2009-04-23 13:49:09 ----A---- C:\ComboFix.txt
2009-04-23 13:42:50 ----D---- C:\ComboFix
2009-04-23 13:40:02 ----D---- C:\Documents and Settings\jwalker\Application Data\Malwarebytes
2009-04-23 13:39:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-23 13:39:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-22 06:01:20 ----A---- C:\WINDOWS\system32\sbbd.exe
2009-04-21 12:02:58 ----D---- C:\Program Files\Trend Micro
2009-04-21 09:33:35 ----D---- C:\Documents and Settings\jwalker\Application Data\Google
2009-04-20 15:21:46 ----A---- C:\Boot.bak
2009-04-20 15:21:41 ----RASHD---- C:\cmdcons
2009-04-20 15:20:31 ----A---- C:\WINDOWS\zip.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\vFind.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\SWREG.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\sed.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-20 15:20:31 ----A---- C:\WINDOWS\grep.exe
2009-04-20 15:20:30 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-20 15:20:30 ----A---- C:\WINDOWS\SWSC.exe
2009-04-20 15:20:12 ----D---- C:\WINDOWS\ERDNT
2009-04-20 15:20:10 ----D---- C:\Qoobox
2009-04-20 10:44:07 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-20 10:44:03 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-20 10:42:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-20 10:42:43 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-20 10:42:39 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-20 10:42:33 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-20 10:38:45 ----N---- C:\WINDOWS\system32\xpsp4res.dll

======List of files/folders modified in the last 1 months======

2009-04-28 08:58:08 ----D---- C:\WINDOWS\security
2009-04-28 01:24:03 ----D---- C:\WINDOWS\system32
2009-04-27 15:41:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-27 12:14:20 ----D---- C:\WINDOWS\Prefetch
2009-04-27 09:28:20 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-24 00:43:31 ----SHD---- C:\WINDOWS\Installer
2009-04-24 00:43:30 ----D---- C:\WINDOWS\system32\drivers
2009-04-23 16:15:11 ----HD---- C:\WINDOWS\inf
2009-04-23 15:32:26 ----D---- C:\Temp
2009-04-23 14:45:07 ----D---- C:\WINDOWS
2009-04-23 13:46:56 ----N---- C:\WINDOWS\system.ini
2009-04-23 13:44:30 ----D---- C:\WINDOWS\AppPatch
2009-04-23 13:44:29 ----D---- C:\Program Files\Common Files
2009-04-23 13:39:57 ----RD---- C:\Program Files
2009-04-21 14:40:04 ----D---- C:\Documents and Settings\jwalker\Application Data\Adobe
2009-04-21 10:07:01 ----D---- C:\WINDOWS\WinSxS
2009-04-21 10:06:33 ----D---- C:\Program Files\Mozilla Firefox
2009-04-21 10:06:11 ----D---- C:\Program Files\Java
2009-04-21 10:05:02 ----D---- C:\WINDOWS\Registration
2009-04-21 10:04:39 ----D---- C:\Program Files\Internet Explorer
2009-04-21 10:03:20 ----D---- C:\Program Files\Common Files\Adobe
2009-04-21 10:03:20 ----D---- C:\Program Files\Adobe
2009-04-21 09:50:17 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-21 09:48:44 ----D---- C:\Program Files\Google
2009-04-21 09:44:53 ----D---- C:\Apps
2009-04-21 09:35:32 ----D---- C:\Python24
2009-04-21 09:34:50 ----D---- C:\Documents and Settings\jwalker\Application Data\Move Networks
2009-04-21 09:34:04 ----D---- C:\WINDOWS\Help
2009-04-21 09:30:01 ----D---- C:\WINDOWS\Minidump
2009-04-20 15:25:58 ----D---- C:\WINDOWS\system32\config
2009-04-20 15:21:46 ----RASH---- C:\boot.ini
2009-04-20 13:19:33 ----A---- C:\WINDOWS\wininit.ini
2009-04-20 12:36:47 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-04-20 10:50:43 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-20 10:46:14 ----D---- C:\WINDOWS\system32\wbem
2009-04-20 10:44:05 ----A---- C:\WINDOWS\imsins.BAK
2009-04-20 10:43:56 ----D---- C:\WINDOWS\system32\en-US
2009-04-20 10:42:48 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-06 10:57:24 ----A---- C:\WINDOWS\system32\MRT.exe
2009-03-30 10:03:33 ----RSD---- C:\WINDOWS\Fonts
2009-03-30 10:03:33 ----D---- C:\WINDOWS\system

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 sbtis;sbtis; C:\WINDOWS\system32\drivers\sbtis.sys [2008-10-09 202928]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-12 12032]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2005-07-25 8413]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2004-07-12 645360]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2004-08-05 366384]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2004-07-12 6096]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2004-07-12 130288]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2004-07-12 145488]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2004-08-12 904752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2004-03-05 1233525]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2004-03-05 647929]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2004-06-15 61157]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mohfilt;mohfilt; C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2004-03-05 37048]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2004-07-12 178672]
R3 SBRE;SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2005-11-16 333620]
S1 drvnddmm;drvnddmm; C:\WINDOWS\System32\drivers\drvnddmm.sys []
S2 DS1410D;DS1410D; C:\WINDOWS\SYSTEM32\drivers\DS1410D.SYS []
S3 bvrp_pci;bvrp_pci; \??\C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2003-11-12 333600]
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2004-07-12 148432]
S3 mgau;mgau; C:\WINDOWS\system32\DRIVERS\mgaum.sys [2001-08-17 320384]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2005-06-14 104576]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2005-01-28 18944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-12 44032]
R2 IAANTMon;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-04-25 86142]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2005-01-19 516096]
S2 Cadence License Manager;Cadence License Manager; C:\OrCAD\license_manager\lmgrd.exe [2002-08-09 608768]
S2 SBAMSvc;VIPRE Enterprise Agent; C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe [2009-04-22 894248]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 UBMS;UltraBac Management Service; C:\Program Files\UltraBac Software\UltraBac8\ubms.exe []
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 29 April 2009 - 06:46 AM

Hi jwlight :thumbup2:

Please delete the copy of ComboFix you have and download a new copy from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
drvnddmm
Folder:: 
c:\temp\tn3
c:\windows\qwrtaw4
File::
c:\windows\system32\drivers\drvnddmm.sys
c:\windows\system32\drivers\core.cache.dsk
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks

unite.jpg


#11 jwlight

jwlight
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 29 April 2009 - 10:06 AM

ComboFix 09-04-28.05 - jwalker 04/29/2009 10:25.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1510 [GMT -4:00]
Running from: c:\documents and settings\jwalker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jwalker\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\drvnddmm.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\qwrtaw4
c:\windows\qwrtaw4\kqlQuqb.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVNDDMM
-------\Service_drvnddmm


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 13:32 . 2009-04-28 13:32 -------- d-----w c:\program files\MSXML 4.0
2009-04-23 19:37 . 2009-04-23 19:37 -------- d-----w C:\rsit
2009-04-23 17:40 . 2009-04-23 17:40 -------- d-----w c:\documents and settings\jwalker\Application Data\Malwarebytes
2009-04-23 17:40 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-23 17:39 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 17:39 . 2009-04-23 17:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 17:39 . 2009-04-23 17:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 10:01 . 2009-04-22 10:01 65320 ----a-w c:\windows\system32\sbbd.exe
2009-04-21 16:02 . 2009-04-21 16:02 -------- d-----w c:\program files\Trend Micro
2009-04-20 14:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-20 14:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-20 14:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-20 14:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-20 14:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-20 14:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-20 14:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-20 14:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-20 14:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-20 14:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-20 14:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 14:27 . 2005-02-23 14:13 384 ----a-w c:\windows\system32\DVCStateBkp-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
2009-04-29 14:27 . 2005-02-23 14:13 384 ----a-w c:\windows\system32\DVCState-{00000004-00000000-00000001-00001102-00000004-20061102}.dat
2009-04-28 17:27 . 2007-09-24 19:26 51536 ----a-w c:\documents and settings\jwalker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 14:06 . 2005-04-04 19:52 -------- d-----w c:\program files\Java
2009-04-21 14:03 . 2005-03-10 15:44 -------- d-----w c:\program files\Common Files\Adobe
2009-04-21 13:48 . 2005-03-19 00:54 -------- d-----w c:\program files\Google
2009-04-20 16:36 . 2008-03-24 20:50 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 09:19 . 2008-12-01 14:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-12 13:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-12 13:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-12 13:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-12 13:21 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-12 13:27 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-12 13:25 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-12 13:17 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-12 13:33 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-12 13:28 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-12 13:25 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-12 13:27 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-12 13:28 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_19.28.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-18 14:36 . 2007-04-18 14:36 82432 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2004-08-12 13:26 . 2009-04-21 14:04 40836 c:\windows\system32\perfc009.dat
+ 2005-02-22 12:47 . 2004-08-12 13:23 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2009-04-28 13:32 . 2009-04-28 13:32 32768 c:\windows\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2009-04-24 04:43 . 2009-04-24 04:43 53248 c:\windows\Installer\{9D544611-F437-4153-913E-91CE036583CC}\ARPPRODUCTICON.exe
- 2009-03-24 21:38 . 2009-03-24 21:38 53248 c:\windows\Installer\{9D544611-F437-4153-913E-91CE036583CC}\ARPPRODUCTICON.exe
+ 2008-01-18 15:13 . 2008-01-18 15:13 2247 c:\windows\ServicePackFiles\i386\tscdsbl.bat
+ 2008-01-18 15:13 . 2008-01-18 15:13 2247 c:\windows\Installer\tsclientmsitrans\tscdsbl.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut25.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut24.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut23.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut22.bat
+ 2005-03-21 23:08 . 2005-03-21 23:08 5174 c:\windows\Installer\{1C07A546-0BE8-4E1B-8C5C-935E3FE60160}\NewShortcut21.bat
+ 2004-08-12 13:26 . 2009-04-21 14:04 314508 c:\windows\system32\perfh009.dat
+ 2007-05-08 19:06 . 2007-05-08 19:06 1275392 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2007-05-08 19:03 . 2007-05-08 19:03 1275392 c:\windows\system32\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2009-04-22 664872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe"
"UIUCU"=c:\docume~1\Admin\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ilcy;ilcy; [x]
R2 Cadence License Manager;Cadence License Manager;c:\orcad\license_manager\lmgrd.exe [2002-08-09 608768]
R3 mgau;mgau;c:\windows\system32\DRIVERS\mgaum.sys [2001-08-17 320384]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2008-10-22 92464]
R3 UBMS;UltraBac Management Service; [x]
S0 DF2K;UltraBac Locked File Backup Driver;c:\windows\system32\drivers\df2k.sys [2006-08-17 135381]
S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-10-09 202928]
S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [2009-04-22 894248]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wdfmgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-29 10:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 14:37
ComboFix2.txt 2009-04-23 17:49
ComboFix3.txt 2009-04-21 15:41
ComboFix4.txt 2009-04-20 19:30

Pre-Run: 135,910,354,944 bytes free
Post-Run: 136,740,282,368 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
178 --- E O F --- 2009-04-28 13:32

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 30 April 2009 - 06:12 AM

Hi,

I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.

Next

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Then please post back here with th Kaspersky report and a fresh Rsit log.

Thanks

unite.jpg


#13 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:38 AM

Posted 03 May 2009 - 10:09 AM

Hi jwlight, can you let me no if you still require my help?

unite.jpg


#14 jwlight

jwlight
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 05 May 2009 - 09:21 AM

I can't get the online Kasperky to run.
we can be done thanks for your help
:thumbup2:

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:38 PM

Posted 05 May 2009 - 12:42 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users