Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.BHO.H and Trojan Agent


  • This topic is locked This topic is locked
17 replies to this topic

#1 apsinger

apsinger

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 26 April 2009 - 12:30 AM

PC is ultra slow....especially Internet Explorer. Firefox seems to be less effected, but PC is very slow at times. Wife says I need to get with the 20th century and get a new PC! Its a 2 Gig AMD with enough ram, so that's not it..... Worried that these viruses could be key loggers! Have run Malwarebyte at least 20 times after reading ever post I could find. It showed Trojan.BHO.H and Rootkit.Agent. Have tried the File Assassin tool as well....no glory.... At this point, I'm not even sure what all I've tried to fix it...

About to reload Windows, but thought I'd try a "Hail Mary" here. Thanks for any advice or a confirmation that a fresh install is the answer. Even if I reinstall, how do I know its' the infection is not in my personal data somewhere just waiting to be let out again!!!




DDS (Ver_09-03-16.01) - NTFSx86
Run by Paul at 1:03:57.60 on Sun 04/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.310 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Altec Lansing\AMS\ALServ.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Wootalyzer\woot.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: {527911cb-7f4a-42da-aaad-e9f00b026c6d} - c:\windows\system32\btde.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Wootalyzer] c:\program files\wootalyzer\woot.exe
uRun: [WeatherWatcher] "c:\program files\weather watcher\ww.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [PV92TRAY] PV92Tray.exe
mRun: [PhoneTray] c:\program files\traysoft\phonetray\PhoneTray.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ALServ] "c:\program files\altec lansing\ams\ALServ.exe"
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe --ports
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\paul\startm~1\programs\startup\memoni~1.lnk - c:\program files\sprint music manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
IE: Customize Menu &4 - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms &] - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm &2 - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms &[ - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219371676296
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\cimd2vjm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.avsforum.com/avs-vb/archive/index.php/t-562185-p-30.html

============= SERVICES / DRIVERS ===============

R0 gsjdynca;gsjdynca;c:\windows\system32\drivers\gsjdynca.sys [2001-8-23 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-5 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2008-8-18 77312]
R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-10-30 11264]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2006-9-30 27936]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2008-9-1 458820]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-22 38496]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-8-18 31592]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [2008-8-18 3680]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]

=============== Created Last 30 ================

2009-04-24 21:03 <DIR> --d----- C:\cmdcons
2009-04-24 21:02 <DIR> --d----- C:\Combo111
2009-04-24 21:02 388,608 a------- c:\windows\system32\CF10052.exe
2009-04-24 20:59 388,608 a------- c:\windows\system32\CF9451.exe
2009-04-24 18:48 <DIR> --d----- C:\VundoFix Backups
2009-04-22 13:02 439,072 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-22 13:02 15,392 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-22 13:02 9,044 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-22 13:02 2,516 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-22 13:02 2,143 a------- C:\rollback.ini
2009-04-22 12:53 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-22 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2009-04-22 12:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-22 10:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-22 10:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 10:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-20 22:00 69 a------- c:\windows\NeroDigital.ini
2009-04-17 15:22 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-08 22:58 3,218 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-04 18:53 <DIR> --d----- c:\documents and settings\paul\PrivacIE
2009-04-04 18:47 <DIR> --d----- c:\documents and settings\paul\IETldCache
2009-04-04 18:45 <DIR> --d----- c:\windows\ie8updates
2009-04-04 18:45 <DIR> --d----- c:\windows\$hf_mig$
2009-04-04 18:43 <DIR> -cd----- c:\windows\ie8

==================== Find3M ====================

2009-04-25 07:31 1,536 a------- c:\windows\system32\TrueSoft.dat
2009-04-23 16:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-23 16:48 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-17 15:57 355,180 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat

============= FINISH: 1:05:08.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 08 May 2009 - 01:41 AM

Hello apsinger,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 12 May 2009 - 08:44 PM

No worries about the delay. Appreciate any help you might offer!!! I just hate to have to do a reload given all the darn programs I run.... So thank you for taking a look.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:26 PM, on 5/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Altec Lansing\AMS\ALServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {527911CB-7F4A-42DA-AAAD-E9F00B026C6D} - C:\WINDOWS\system32\btde.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219371676296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8810 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 12 May 2009 - 11:03 PM

Hi there,

Given your initial description, let's do this:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to apsinger.exe and try it again. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 13 May 2009 - 04:56 PM

ComboFix 09-04-28.05 - Paul 05/13/2009 17:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.364 [GMT -4:00]
Running from: c:\documents and settings\Paul\Desktop\Combo111.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-5-13 )))))))))))))))))))))))))))))))
.

2009-05-13 01:36 . 2009-05-13 01:36 -------- d-----w c:\program files\Trend Micro
2009-05-06 00:12 . 2009-05-06 00:12 -------- d-----w c:\program files\Citrix
2009-05-06 00:11 . 2009-05-06 00:11 60744 ----a-w c:\documents and settings\Paul\g2mdlhlpx.exe
2009-05-04 04:08 . 2009-05-04 04:08 -------- d-----w c:\program files\CCleaner
2009-05-03 14:20 . 2009-05-03 14:20 61440 ----a-w c:\windows\system32\drivers\bftxoumk.sys
2009-05-02 13:44 . 2009-05-02 16:25 -------- d-----w C:\BARBIE_MERMAIDIA
2009-04-30 02:39 . 2006-08-25 15:45 617472 -c----w c:\windows\system32\dllcache\comctl32.dll
2009-04-30 02:38 . 2006-04-20 11:51 359808 -c----w c:\windows\system32\dllcache\tcpip.sys
2009-04-30 02:37 . 2007-06-26 06:08 1104896 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-30 02:37 . 2006-08-14 10:34 332928 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-30 02:36 . 2006-05-19 12:59 111616 -c----w c:\windows\system32\dllcache\dhcpcsvc.dll
2009-04-30 02:36 . 2006-05-19 12:59 94720 -c----w c:\windows\system32\dllcache\iphlpapi.dll
2009-04-30 02:36 . 2007-03-08 15:36 40960 -c----w c:\windows\system32\dllcache\mf3216.dll
2009-04-30 02:36 . 2007-03-08 13:47 1843584 -c----w c:\windows\system32\dllcache\win32k.sys
2009-04-30 02:35 . 2007-07-09 13:09 584192 -c----w c:\windows\system32\dllcache\rpcrt4.dll
2009-04-30 02:34 . 2006-06-14 08:47 6400 -c----w c:\windows\system32\dllcache\splitter.sys
2009-04-30 02:34 . 2006-06-14 08:47 172416 -c----w c:\windows\system32\dllcache\kmixer.sys
2009-04-30 02:34 . 2006-06-14 09:00 82944 -c----w c:\windows\system32\dllcache\wdmaud.sys
2009-04-30 02:34 . 2007-04-16 15:52 984576 -c----w c:\windows\system32\dllcache\kernel32.dll
2009-04-30 02:32 . 2007-02-05 20:17 185344 -c----w c:\windows\system32\dllcache\upnphost.dll
2009-04-30 02:30 . 2006-12-26 13:07 536576 -c----w c:\windows\system32\dllcache\msado15.dll
2009-04-30 02:30 . 2006-12-26 13:07 102400 -c----w c:\windows\system32\dllcache\msjro.dll
2009-04-30 02:30 . 2006-12-26 13:07 180224 -c----w c:\windows\system32\dllcache\msadomd.dll
2009-04-30 02:30 . 2006-12-26 13:07 200704 -c----w c:\windows\system32\dllcache\msadox.dll
2009-04-30 02:29 . 2006-10-12 14:02 42496 -c----w c:\windows\system32\dllcache\agentdp2.dll
2009-04-30 02:29 . 2006-10-12 11:09 256512 -c----w c:\windows\system32\dllcache\agentsvr.exe
2009-04-30 02:27 . 2006-10-19 13:56 713216 -c----w c:\windows\system32\dllcache\sxs.dll
2009-04-30 02:27 . 2007-05-17 11:28 549376 -c----w c:\windows\system32\dllcache\oleaut32.dll
2009-04-30 02:26 . 2006-10-13 10:23 163584 -c----w c:\windows\system32\dllcache\nwrdr.sys
2009-04-30 02:26 . 2006-10-13 12:35 65536 -c----w c:\windows\system32\dllcache\nwwks.dll
2009-04-30 02:26 . 2006-10-13 12:35 142336 -c----w c:\windows\system32\dllcache\nwprovau.dll
2009-04-30 02:26 . 2006-12-14 13:45 981760 -c----w c:\windows\system32\dllcache\mfc42u.dll
2009-04-30 02:25 . 2006-12-19 21:52 134656 -c----w c:\windows\system32\dllcache\shsvcs.dll
2009-04-30 02:25 . 2006-12-19 21:52 8453632 -c----w c:\windows\system32\dllcache\shell32.dll
2009-04-30 02:25 . 2007-02-28 09:08 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-30 02:25 . 2007-02-28 09:10 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-30 02:25 . 2007-02-28 08:38 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-30 02:25 . 2007-02-28 08:38 2057600 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-30 02:23 . 2006-08-16 09:37 225664 -c----w c:\windows\system32\dllcache\tcpip6.sys
2009-04-30 02:23 . 2006-08-16 11:58 100352 -c----w c:\windows\system32\dllcache\6to4svc.dll
2009-04-30 02:23 . 2006-12-19 18:16 333824 -c----w c:\windows\system32\dllcache\wiaservc.dll
2009-04-30 02:22 . 2006-03-17 00:38 28672 ------w c:\windows\system32\verclsid.exe
2009-04-30 02:22 . 2006-11-27 14:54 433152 -c----w c:\windows\system32\dllcache\riched20.dll
2009-04-30 02:22 . 2006-11-27 14:54 539136 -c----w c:\windows\system32\dllcache\msftedit.dll
2009-04-30 02:21 . 2007-06-19 13:31 282112 -c----w c:\windows\system32\dllcache\gdi32.dll
2009-04-30 02:20 . 2006-05-05 09:47 174592 -c----w c:\windows\system32\dllcache\rdbss.sys
2009-04-30 02:20 . 2006-05-05 09:41 453120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-30 02:19 . 2007-04-25 14:21 144896 -c----w c:\windows\system32\dllcache\schannel.dll
2009-04-30 02:19 . 2006-06-26 17:37 8192 -c----w c:\windows\system32\dllcache\rasadhlp.dll
2009-04-30 02:19 . 2006-06-26 17:37 148480 -c----w c:\windows\system32\dllcache\dnsapi.dll
2009-04-30 02:18 . 2007-03-17 13:43 292864 -c----w c:\windows\system32\dllcache\winsrv.dll
2009-04-30 02:17 . 2006-06-22 05:06 69120 -c----w c:\windows\system32\dllcache\ciodm.dll
2009-04-30 02:17 . 2006-06-22 05:06 1435648 -c----w c:\windows\system32\dllcache\query.dll
2009-04-30 02:17 . 2006-08-21 12:21 16896 -c----w c:\windows\system32\dllcache\fltlib.dll
2009-04-30 02:17 . 2006-08-21 09:14 23040 -c----w c:\windows\system32\dllcache\fltmc.exe
2009-04-30 02:17 . 2006-08-21 09:14 128896 -c----w c:\windows\system32\dllcache\fltmgr.sys
2009-04-30 02:17 . 2006-06-22 10:47 181248 -c----w c:\windows\system32\dllcache\rasmans.dll
2009-04-30 02:17 . 2004-08-04 04:56 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-30 02:16 . 2007-03-09 13:58 57344 -c----w c:\windows\system32\dllcache\agentdpv.dll
2009-04-30 02:15 . 2006-08-17 12:28 132096 -c----w c:\windows\system32\dllcache\wkssvc.dll
2009-04-30 02:15 . 2006-08-17 12:28 332288 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-30 02:15 . 2006-08-17 12:28 721920 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-30 02:15 . 2006-05-18 05:24 450560 -c----w c:\windows\system32\dllcache\jscript.dll
2009-04-30 02:14 . 2007-05-16 15:12 85504 -c----w c:\windows\system32\dllcache\wabimp.dll
2009-04-30 02:14 . 2007-05-16 15:12 510976 -c----w c:\windows\system32\dllcache\wab32.dll
2009-04-30 02:14 . 2007-05-16 15:12 86528 -c----w c:\windows\system32\dllcache\directdb.dll
2009-04-30 02:14 . 2007-08-21 06:15 683520 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-30 02:14 . 2007-05-16 15:12 1314816 -c----w c:\windows\system32\dllcache\msoe.dll
2009-04-30 02:14 . 2009-04-30 02:14 -------- d-----w c:\program files\MSXML 4.0
2009-04-30 02:13 . 2007-06-26 15:13 851968 -c----w c:\windows\system32\dllcache\vgx.dll
2009-04-29 04:03 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-29 04:03 . 2009-02-20 18:09 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-29 04:03 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-29 04:03 . 2009-02-20 18:09 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-29 04:03 . 2009-02-20 18:09 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-29 04:03 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-29 04:03 . 2009-02-20 18:09 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-29 04:03 . 2009-02-20 18:09 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 22:48 . 2009-04-25 00:01 -------- d-----w C:\VundoFix Backups
2009-04-22 17:02 . 2009-04-22 18:12 15392 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-22 17:02 . 2009-04-22 18:12 439072 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-22 16:53 . 2009-04-22 16:53 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-22 16:53 . 2009-04-22 17:35 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-22 16:50 . 2009-04-22 16:50 -------- d-----w c:\documents and settings\Paul\Local Settings\Application Data\Downloaded Installations
2009-04-22 14:11 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-22 14:11 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 14:11 . 2009-04-22 14:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 23:49 . 2009-04-16 23:49 -------- d-----w c:\documents and settings\Paul\Local Settings\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 17:35 . 2009-02-08 20:07 -------- d-----w c:\program files\Coupons
2009-05-02 16:13 . 2008-08-21 16:25 1536 ----a-w c:\windows\system32\TrueSoft.dat
2009-05-02 16:13 . 2009-01-10 00:22 -------- d-----w c:\program files\DNA
2009-05-02 16:12 . 2009-04-22 18:11 45 ----a-w c:\windows\system32\drivers\RemoveAny.log
2009-04-23 20:49 . 2009-03-06 19:00 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-23 20:48 . 2009-03-05 21:48 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-22 18:12 . 2009-04-22 17:02 9044 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-22 18:12 . 2009-04-22 17:02 2516 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-17 19:22 . 2008-10-20 03:40 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-29 18:52 . 2009-03-29 18:52 -------- d-----w c:\program files\Ubisoft
2009-03-26 04:07 . 2008-08-22 16:23 -------- d-----w c:\program files\Wootalyzer
2009-03-20 00:17 . 2008-08-18 06:05 -------- d-----w c:\program files\Common Files\Adobe
2009-03-16 13:59 . 2009-01-02 23:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2006-02-23 12:16 . 2008-08-22 05:25 34048 ----a-w c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2008-08-22 05:25 45056 ----a-w c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-04-29_13.15.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 02:26 . 2007-01-19 20:15 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
+ 2009-05-02 16:13 . 2009-05-02 16:13 16384 c:\windows\Temp\Perflib_Perfdata_7e0.dat
- 2008-08-18 01:58 . 2004-08-04 04:56 11776 c:\windows\system32\xolehlp.dll
+ 2008-08-18 01:58 . 2006-03-01 19:42 11776 c:\windows\system32\xolehlp.dll
+ 2008-08-18 02:17 . 2006-01-04 03:35 68096 c:\windows\system32\webclnt.dll
+ 2008-08-18 02:17 . 2004-08-04 04:56 37888 c:\windows\system32\url.dll
+ 2009-04-30 02:23 . 2007-01-29 08:58 60416 c:\windows\system32\tzchange.exe
+ 2002-08-29 07:41 . 2005-05-10 23:45 75776 c:\windows\system32\telnet.exe
- 2001-08-23 13:00 . 2004-08-04 04:56 96768 c:\windows\system32\srvsvc.dll
+ 2001-08-23 13:00 . 2004-12-07 19:32 96768 c:\windows\system32\srvsvc.dll
+ 2001-08-23 13:00 . 2005-06-10 23:53 57856 c:\windows\system32\spoolsv.exe
- 2001-08-23 13:00 . 2004-08-04 04:56 57856 c:\windows\system32\spoolsv.exe
+ 2008-08-18 02:18 . 2007-08-22 12:55 39424 c:\windows\system32\pngfilt.dll
+ 2001-08-23 13:00 . 2009-04-30 17:42 59982 c:\windows\system32\perfc009.dat
+ 2001-08-23 13:00 . 2005-07-26 04:39 37888 c:\windows\system32\olecnv32.dll
+ 2001-08-23 13:00 . 2005-07-26 04:39 74752 c:\windows\system32\olecli32.dll
+ 2001-08-23 13:00 . 2004-08-04 04:56 96256 c:\windows\system32\occache.dll
+ 2008-08-18 02:18 . 2006-10-13 12:35 65536 c:\windows\system32\nwwks.dll
+ 2001-08-23 13:00 . 2006-10-13 12:35 64000 c:\windows\system32\nwapi32.dll
+ 2008-08-18 01:58 . 2006-03-01 19:42 91136 c:\windows\system32\mtxoci.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 66560 c:\windows\system32\mtxclu.dll
+ 2001-08-23 13:00 . 2006-03-01 19:42 66560 c:\windows\system32\mtxclu.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 56832 c:\windows\system32\mshtmler.dll
+ 2001-08-23 13:00 . 2004-08-04 04:56 29184 c:\windows\system32\mshta.exe
+ 2008-08-18 02:18 . 2005-06-29 01:46 74240 c:\windows\system32\mscms.dll
+ 2001-08-23 13:00 . 2007-03-08 15:36 40960 c:\windows\system32\mf3216.dll
+ 2001-08-23 13:00 . 2005-09-01 01:41 19968 c:\windows\system32\linkinfo.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 22016 c:\windows\system32\licmgr10.dll
+ 2001-08-23 13:00 . 2007-08-22 12:55 16384 c:\windows\system32\jsproxy.dll
+ 2001-08-23 13:00 . 2006-06-01 18:47 27648 c:\windows\system32\jgpl400.dll
+ 2008-08-18 02:18 . 2006-05-19 12:59 94720 c:\windows\system32\iphlpapi.dll
- 2008-08-18 02:18 . 2004-08-04 04:56 94720 c:\windows\system32\iphlpapi.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 96256 c:\windows\system32\inseng.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 35840 c:\windows\system32\imgutil.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 62976 c:\windows\system32\iesetup.dll
+ 2001-08-23 13:00 . 2004-08-04 04:56 48640 c:\windows\system32\iernonce.dll
+ 2008-08-22 03:30 . 2004-08-04 04:56 81920 c:\windows\system32\ieencode.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 34304 c:\windows\system32\ie4uinit.exe
+ 2001-08-23 13:00 . 2006-07-21 08:24 72704 c:\windows\system32\hlink.dll
+ 2008-08-18 02:18 . 2005-05-27 02:04 41472 c:\windows\system32\hhsetup.dll
+ 2001-08-23 13:00 . 2005-10-17 21:14 80896 c:\windows\system32\fontsub.dll
+ 2008-08-22 03:30 . 2006-08-21 09:14 23040 c:\windows\system32\fltmc.exe
- 2008-08-22 03:30 . 2004-08-04 04:56 16896 c:\windows\system32\fltlib.dll
+ 2008-08-22 03:30 . 2006-08-21 12:21 16896 c:\windows\system32\fltlib.dll
+ 2008-08-22 03:30 . 2007-08-22 12:55 55808 c:\windows\system32\extmgr.dll
+ 2008-08-17 21:37 . 2006-06-14 09:00 82944 c:\windows\system32\drivers\wdmaud.sys
- 2008-08-17 21:37 . 2004-08-04 03:15 82944 c:\windows\system32\drivers\wdmaud.sys
+ 2009-04-30 02:33 . 2007-08-22 12:55 39424 c:\windows\system32\dllcache\pngfilt.dll
+ 2001-08-23 13:00 . 2005-07-26 04:39 37888 c:\windows\system32\dllcache\olecnv32.dll
+ 2001-08-23 13:00 . 2005-07-26 04:39 74752 c:\windows\system32\dllcache\olecli32.dll
+ 2001-08-23 13:00 . 2006-10-13 12:35 64000 c:\windows\system32\dllcache\nwapi32.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 16384 c:\windows\system32\dllcache\jsproxy.dll
+ 2001-08-23 13:00 . 2006-06-01 18:47 27648 c:\windows\system32\dllcache\jgpl400.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 96256 c:\windows\system32\dllcache\inseng.dll
+ 2009-04-30 02:33 . 2007-08-21 10:19 18432 c:\windows\system32\dllcache\iedw.exe
+ 2001-08-23 13:00 . 2006-07-21 08:24 72704 c:\windows\system32\dllcache\hlink.dll
+ 2001-08-23 13:00 . 2005-10-17 21:14 80896 c:\windows\system32\dllcache\fontsub.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 55808 c:\windows\system32\dllcache\extmgr.dll
- 2008-08-22 03:30 . 2007-08-13 22:54 33792 c:\windows\system32\dllcache\custsat.dll
+ 2008-08-22 03:30 . 2006-06-03 11:40 33792 c:\windows\system32\dllcache\custsat.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 97792 c:\windows\system32\dllcache\comrepl.dll
+ 2001-08-23 13:00 . 2004-08-04 04:56 35328 c:\windows\system32\corpol.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 97792 c:\windows\system32\comrepl.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 60416 c:\windows\system32\colbact.dll
- 2008-08-18 02:18 . 2004-08-04 04:56 69120 c:\windows\system32\ciodm.dll
+ 2008-08-18 02:18 . 2006-06-22 05:06 69120 c:\windows\system32\ciodm.dll
+ 2001-08-23 13:00 . 2005-03-02 18:09 56832 c:\windows\system32\authz.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 56832 c:\windows\system32\authz.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 99840 c:\windows\system32\advpack.dll
+ 2001-08-23 13:00 . 2004-08-04 04:56 61440 c:\windows\system32\admparse.dll
+ 2001-08-23 13:00 . 2007-03-09 13:58 57344 c:\windows\msagent\agentdpv.dll
+ 2001-08-23 13:00 . 2006-10-12 14:02 42496 c:\windows\msagent\agentdp2.dll
+ 2009-04-30 02:14 . 2009-04-30 02:14 32768 c:\windows\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\icon.exe
+ 2008-08-18 02:18 . 2005-05-26 23:22 10752 c:\windows\hh.exe
- 2008-08-18 02:18 . 2004-08-04 04:56 10752 c:\windows\hh.exe
+ 2009-04-30 02:34 . 2006-06-14 09:00 82944 c:\windows\Driver Cache\i386\wdmaud.sys
+ 2001-08-23 13:00 . 2006-06-26 17:37 8192 c:\windows\system32\rasadhlp.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 8192 c:\windows\system32\rasadhlp.dll
- 2008-08-17 21:38 . 2004-08-04 03:07 6400 c:\windows\system32\drivers\splitter.sys
+ 2008-08-17 21:38 . 2006-06-14 08:47 6400 c:\windows\system32\drivers\splitter.sys
+ 2009-04-30 02:34 . 2006-06-14 08:47 6400 c:\windows\Driver Cache\i386\splitter.sys
+ 2009-04-30 02:26 . 2007-01-19 20:15 401462 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\msvcp60.dll
+ 2009-04-30 02:26 . 2007-01-19 20:15 995383 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42.dll
+ 2009-04-29 04:02 . 2007-08-21 10:13 350720 c:\windows\system32\xpsp3res.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 132096 c:\windows\system32\wkssvc.dll
+ 2001-08-23 13:00 . 2006-08-17 12:28 132096 c:\windows\system32\wkssvc.dll
+ 2001-08-23 13:00 . 2007-03-17 13:43 292864 c:\windows\system32\winsrv.dll
+ 2008-08-18 02:17 . 2007-08-22 12:55 665600 c:\windows\system32\wininet.dll
+ 2008-08-18 02:17 . 2006-12-19 18:16 333824 c:\windows\system32\wiaservc.dll
+ 2008-08-18 02:17 . 2004-08-04 04:56 276480 c:\windows\system32\webcheck.dll
+ 2008-08-18 02:17 . 2004-08-04 04:56 417792 c:\windows\system32\vbscript.dll
+ 2001-08-23 13:00 . 2007-03-08 15:36 577536 c:\windows\system32\user32.dll
+ 2008-08-18 02:17 . 2007-08-22 12:55 617984 c:\windows\system32\urlmon.dll
+ 2008-08-18 02:17 . 2007-02-05 20:17 185344 c:\windows\system32\upnphost.dll
- 2008-08-18 02:17 . 2004-08-04 04:56 185344 c:\windows\system32\upnphost.dll
+ 2008-08-18 02:17 . 2005-08-23 03:35 123392 c:\windows\system32\umpnpmgr.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 101376 c:\windows\system32\txflog.dll
+ 2001-08-23 13:00 . 2005-07-26 04:39 101376 c:\windows\system32\txflog.dll
+ 2008-08-18 02:17 . 2005-07-08 16:27 249344 c:\windows\system32\tapisrv.dll
+ 2001-08-23 13:00 . 2005-10-17 21:14 118272 c:\windows\system32\t2embed.dll
+ 2008-08-18 02:17 . 2006-10-19 13:56 713216 c:\windows\system32\sxs.dll
- 2008-08-18 02:17 . 2004-08-04 04:56 713216 c:\windows\system32\sxs.dll
+ 2008-08-18 02:17 . 2006-08-21 13:52 246814 c:\windows\system32\strmdll.dll
+ 2008-08-18 02:17 . 2006-12-19 21:52 134656 c:\windows\system32\shsvcs.dll
- 2008-08-18 02:17 . 2004-08-04 04:56 134656 c:\windows\system32\shsvcs.dll
- 2008-08-18 02:17 . 2006-09-23 17:12 474112 c:\windows\system32\shlwapi.dll
+ 2008-08-18 02:17 . 2007-08-22 12:55 474112 c:\windows\system32\shlwapi.dll
+ 2001-08-23 13:00 . 2007-04-25 14:21 144896 c:\windows\system32\schannel.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 144896 c:\windows\system32\schannel.dll
+ 2008-08-18 02:18 . 2005-07-26 04:39 397824 c:\windows\system32\rpcss.dll
+ 2008-08-18 02:18 . 2007-07-09 13:09 584192 c:\windows\system32\rpcrt4.dll
+ 2008-08-18 02:18 . 2006-11-27 14:54 433152 c:\windows\system32\riched20.dll
+ 2008-08-18 02:18 . 2006-06-22 10:47 181248 c:\windows\system32\rasmans.dll
+ 2001-08-23 13:00 . 2009-04-30 17:42 395114 c:\windows\system32\perfh009.dat
+ 2001-08-23 13:00 . 2006-10-16 16:15 122880 c:\windows\system32\oledlg.dll
+ 2001-08-23 13:00 . 2007-05-17 11:28 549376 c:\windows\system32\oleaut32.dll
+ 2001-08-23 13:00 . 2006-10-13 12:35 142336 c:\windows\system32\nwprovau.dll
+ 2008-08-18 02:18 . 2005-08-22 18:29 197632 c:\windows\system32\netman.dll
- 2008-08-18 02:18 . 2004-08-04 04:56 332288 c:\windows\system32\netapi32.dll
+ 2008-08-18 02:18 . 2006-08-17 12:28 332288 c:\windows\system32\netapi32.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 532480 c:\windows\system32\mstime.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 146432 c:\windows\system32\msrating.dll
+ 2001-08-23 13:00 . 2001-08-23 13:00 146432 c:\windows\system32\msls31.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 449024 c:\windows\system32\mshtmled.dll
+ 2008-08-18 02:18 . 2006-11-27 14:54 539136 c:\windows\system32\msftedit.dll
- 2008-08-18 01:58 . 2004-08-04 04:56 161280 c:\windows\system32\msdtcuiu.dll
+ 2008-08-18 01:58 . 2006-03-01 19:42 161280 c:\windows\system32\msdtcuiu.dll
+ 2008-08-18 01:58 . 2006-03-01 19:42 956416 c:\windows\system32\msdtctm.dll
+ 2008-08-18 02:18 . 2006-03-01 19:42 426496 c:\windows\system32\msdtcprx.dll
+ 2001-08-23 13:00 . 2006-12-14 13:45 981760 c:\windows\system32\mfc42u.dll
+ 2001-08-23 13:00 . 2006-11-01 19:17 927504 c:\windows\system32\mfc40u.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 721920 c:\windows\system32\lsasrv.dll
+ 2001-08-23 13:00 . 2006-08-17 12:28 721920 c:\windows\system32\lsasrv.dll
+ 2001-08-23 13:00 . 2007-04-16 15:52 984576 c:\windows\system32\kernel32.dll
+ 2008-08-18 02:18 . 2005-06-15 17:49 295936 c:\windows\system32\kerberos.dll
+ 2001-08-23 13:00 . 2006-05-18 05:24 450560 c:\windows\system32\jscript.dll
+ 2001-08-23 13:00 . 2006-06-01 18:47 163840 c:\windows\system32\jgdw400.dll
+ 2008-08-18 02:18 . 2005-05-27 02:04 137216 c:\windows\system32\itss.dll
+ 2008-08-18 02:18 . 2005-05-27 02:04 155136 c:\windows\system32\itircl.dll
+ 2008-08-18 02:18 . 2007-08-21 06:15 683520 c:\windows\system32\inetcomm.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 251904 c:\windows\system32\iepeers.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 323584 c:\windows\system32\iedkcs32.dll
+ 2001-08-23 13:00 . 2001-08-23 13:00 221184 c:\windows\system32\ieakui.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 216576 c:\windows\system32\ieaksie.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 139264 c:\windows\system32\ieakeng.dll
+ 2008-08-18 02:18 . 2005-06-29 01:46 254976 c:\windows\system32\icm32.dll
+ 2001-08-23 13:00 . 2007-06-19 13:31 282112 c:\windows\system32\gdi32.dll
- 2008-08-17 21:35 . 2008-10-17 15:41 248696 c:\windows\system32\FNTCACHE.DAT
+ 2008-08-17 21:35 . 2009-04-30 17:40 248696 c:\windows\system32\FNTCACHE.DAT
- 2008-08-18 02:18 . 2004-08-04 04:56 243200 c:\windows\system32\es.dll
+ 2008-08-18 02:18 . 2005-07-26 04:39 243200 c:\windows\system32\es.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 205824 c:\windows\system32\dxtrans.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 357888 c:\windows\system32\dxtmsft.dll
+ 2008-08-18 02:18 . 2006-08-22 08:05 498742 c:\windows\system32\dxmasf.dll
+ 2001-08-23 13:00 . 2006-08-16 09:37 225664 c:\windows\system32\drivers\tcpip6.sys
+ 2001-08-23 13:00 . 2006-04-20 11:51 359808 c:\windows\system32\drivers\tcpip.sys
+ 2001-08-23 13:00 . 2006-08-14 10:34 332928 c:\windows\system32\drivers\srv.sys
+ 2001-08-23 13:00 . 2006-07-13 08:48 202240 c:\windows\system32\drivers\rmcast.sys
+ 2008-08-18 01:58 . 2005-06-10 04:09 139528 c:\windows\system32\drivers\rdpwd.sys
+ 2001-08-23 13:00 . 2006-05-05 09:47 174592 c:\windows\system32\drivers\rdbss.sys
- 2008-08-18 02:18 . 2004-08-04 03:02 163584 c:\windows\system32\drivers\nwrdr.sys
+ 2008-08-18 02:18 . 2006-10-13 10:23 163584 c:\windows\system32\drivers\nwrdr.sys
+ 2001-08-23 13:00 . 2006-05-05 09:41 453120 c:\windows\system32\drivers\mrxsmb.sys
+ 2008-08-17 21:38 . 2006-06-14 08:47 172416 c:\windows\system32\drivers\kmixer.sys
+ 2001-08-23 13:00 . 2004-09-29 22:28 134912 c:\windows\system32\drivers\ipnat.sys
- 2001-08-23 13:00 . 2004-08-04 03:04 134912 c:\windows\system32\drivers\ipnat.sys
+ 2008-08-22 03:30 . 2006-03-17 00:33 262784 c:\windows\system32\drivers\http.sys
+ 2008-08-22 03:30 . 2006-08-21 09:14 128896 c:\windows\system32\drivers\fltmgr.sys
- 2008-08-17 21:38 . 2004-08-04 02:39 142464 c:\windows\system32\drivers\aec.sys
+ 2008-08-17 21:38 . 2006-02-15 00:22 142464 c:\windows\system32\drivers\aec.sys
- 2008-08-18 02:18 . 2004-08-04 04:56 148480 c:\windows\system32\dnsapi.dll
+ 2008-08-18 02:18 . 2006-06-26 17:37 148480 c:\windows\system32\dnsapi.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 665600 c:\windows\system32\dllcache\wininet.dll
+ 2009-01-07 00:24 . 2007-03-08 15:36 577536 c:\windows\system32\dllcache\user32.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 617984 c:\windows\system32\dllcache\urlmon.dll
+ 2008-08-18 02:18 . 2004-08-04 04:56 153088 c:\windows\system32\dllcache\triedit.dll
+ 2006-08-21 13:52 . 2006-08-21 13:52 246814 c:\windows\system32\dllcache\strmdll.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2006-09-23 17:12 . 2006-09-23 17:12 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2001-08-23 13:00 . 2006-07-13 08:48 202240 c:\windows\system32\dllcache\rmcast.sys
+ 2001-08-23 13:00 . 2006-10-16 16:15 122880 c:\windows\system32\dllcache\oledlg.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 532480 c:\windows\system32\dllcache\mstime.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 146432 c:\windows\system32\dllcache\msrating.dll
+ 2001-08-23 13:00 . 2001-08-23 13:00 146432 c:\windows\system32\dllcache\msls31.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2001-08-23 13:00 . 2006-11-01 19:17 927504 c:\windows\system32\dllcache\mfc40u.dll
+ 2001-08-23 13:00 . 2006-06-01 18:47 163840 c:\windows\system32\dllcache\jgdw400.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2001-08-23 13:00 . 2001-08-23 13:00 221184 c:\windows\system32\dllcache\ieakui.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 205824 c:\windows\system32\dllcache\dxtrans.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 357888 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-08-22 08:05 . 2006-08-22 08:05 498742 c:\windows\system32\dllcache\dxmasf.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 151040 c:\windows\system32\dllcache\cdfview.dll
+ 2001-08-23 13:00 . 2006-05-19 12:59 111616 c:\windows\system32\dhcpcsvc.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 540160 c:\windows\system32\comuid.dll
- 2008-08-18 01:58 . 2004-08-04 04:56 540160 c:\windows\system32\comuid.dll
+ 2001-08-23 13:00 . 2006-08-25 15:45 617472 c:\windows\system32\comctl32.dll
+ 2008-08-18 02:18 . 2005-07-26 04:39 195072 c:\windows\system32\Com\comadmin.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 498688 c:\windows\system32\clbcatq.dll
- 2008-08-18 01:58 . 2004-08-04 04:56 110080 c:\windows\system32\clbcatex.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 110080 c:\windows\system32\clbcatex.dll
+ 2001-08-23 13:00 . 2007-08-22 12:55 151040 c:\windows\system32\cdfview.dll
+ 2008-08-18 02:18 . 2005-07-26 04:39 625152 c:\windows\system32\catsrvut.dll
+ 2008-08-18 01:58 . 2005-07-26 04:39 225792 c:\windows\system32\catsrv.dll
+ 2008-08-18 02:18 . 2006-08-16 11:58 100352 c:\windows\system32\6to4svc.dll
- 2008-08-18 02:18 . 2004-08-04 04:56 100352 c:\windows\system32\6to4svc.dll
+ 2001-08-23 13:00 . 2006-10-12 11:09 256512 c:\windows\msagent\agentsvr.exe
- 2001-08-23 13:00 . 2004-08-04 04:56 256512 c:\windows\msagent\agentsvr.exe
+ 2009-04-30 02:20 . 2006-05-05 09:41 453120 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-04-30 02:34 . 2006-06-14 08:47 172416 c:\windows\Driver Cache\i386\kmixer.sys
+ 2009-04-30 02:32 . 2006-03-17 00:33 262784 c:\windows\Driver Cache\i386\http.sys
+ 2009-04-30 02:32 . 2006-02-15 00:22 142464 c:\windows\Driver Cache\i386\aec.sys
+ 2006-08-25 12:45 . 2006-08-25 12:45 1054208 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
+ 2009-04-30 02:26 . 2007-01-19 20:15 1011774 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
+ 2007-05-08 19:06 . 2007-05-08 19:06 1275392 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\msxml4.dll
+ 2001-08-23 13:00 . 2007-03-08 13:47 1843584 c:\windows\system32\win32k.sys
+ 2008-08-18 02:17 . 2006-12-19 21:52 8453632 c:\windows\system32\shell32.dll
+ 2008-08-18 02:17 . 2007-08-22 12:55 1498112 c:\windows\system32\shdocvw.dll
+ 2008-08-18 02:18 . 2006-06-22 05:06 1435648 c:\windows\system32\query.dll
- 2008-08-18 02:18 . 2004-08-04 04:56 1435648 c:\windows\system32\query.dll
+ 2008-08-21 22:37 . 2005-08-30 03:54 1287168 c:\windows\system32\quartz.dll
+ 2008-08-18 02:18 . 2005-07-26 04:39 1285120 c:\windows\system32\ole32.dll
+ 2001-08-23 13:00 . 2007-02-28 09:10 2180352 c:\windows\system32\ntoskrnl.exe
+ 2001-08-17 13:48 . 2007-02-28 08:38 2057600 c:\windows\system32\ntkrnlpa.exe
+ 2007-05-08 19:03 . 2007-05-08 19:03 1275392 c:\windows\system32\msxml4.dll
+ 2008-08-18 02:18 . 2007-06-26 06:08 1104896 c:\windows\system32\msxml3.dll
+ 2008-08-18 02:18 . 2007-08-22 22:25 3064832 c:\windows\system32\mshtml.dll
+ 2001-08-23 13:00 . 2005-10-20 22:20 1082368 c:\windows\system32\esent.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 1082368 c:\windows\system32\esent.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 1498112 c:\windows\system32\dllcache\shdocvw.dll
+ 2007-08-22 22:25 . 2007-08-22 22:25 3064832 c:\windows\system32\dllcache\mshtml.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 1054208 c:\windows\system32\dllcache\danim.dll
- 2006-09-23 17:12 . 2006-09-23 17:12 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2009-04-30 02:33 . 2007-08-22 12:55 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 1054208 c:\windows\system32\danim.dll
+ 2008-08-18 02:18 . 2005-07-26 04:39 1267200 c:\windows\system32\comsvcs.dll
- 2001-08-23 13:00 . 2004-08-04 04:56 2067968 c:\windows\system32\cdosys.dll
+ 2001-08-23 13:00 . 2005-09-10 01:53 2067968 c:\windows\system32\cdosys.dll
- 2008-08-18 02:18 . 2006-09-23 17:12 1022976 c:\windows\system32\browseui.dll
+ 2008-08-18 02:18 . 2007-08-22 12:55 1022976 c:\windows\system32\browseui.dll
+ 2009-04-30 02:18 . 2007-02-28 09:10 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-04-30 02:18 . 2007-02-28 08:38 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-04-30 02:18 . 2007-02-28 08:38 2057600 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-04-30 02:18 . 2007-02-28 09:08 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527911CB-7F4A-42DA-AAAD-E9F00B026C6D}]
2006-11-30 02:14 95744 ----a-w c:\windows\system32\btde.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2004-11-02 40960]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Wootalyzer"="c:\program files\Wootalyzer\woot.exe" [2009-03-26 374272]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2009-03-01 1089536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhoneTray"="c:\program files\Traysoft\PhoneTray\PhoneTray.exe" [2008-03-16 441360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-23 516440]
"PV92TRAY"="PV92Tray.exe" - c:\windows\system32\PV92Tray.exe [2003-04-24 135168]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-04-24 180224]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-11-17 753664]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-27 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2008-8-18 565248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei24.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 RemoveAny;RemoveAny driver;c:\windows\system32\Drivers\removeany.sys [2008-10-30 11264]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
R3 iteio;iteio;c:\windows\System32\drivers\iteio.sys [1999-08-30 3680]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-23 953168]
S0 gsjdynca;gsjdynca;c:\windows\system32\drivers\gsjdynca.sys [2001-08-23 23424]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-23 64160]
S0 viasraid;viasraid;c:\windows\System32\DRIVERS\viasraid.sys [2003-10-31 77312]
S2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2006-09-30 27936]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2004-10-08 458820]

.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:48]

2009-05-13 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2009-01-18 20:48]

2009-05-07 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2001-08-23 13:00]

2009-05-12 c:\windows\Tasks\Ofc Outlook Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-23 04:56]

2009-05-13 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-02 20:31]

2009-05-13 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu &4 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms &] - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm &2 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms &[ - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\cimd2vjm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.avsforum.com/avs-vb/archive/index.php/t-562185-p-30.html
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 17:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(26144)
c:\windows\system32\nView.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\System32\msimtf.dll
c:\windows\System32\MSCTF.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-13 17:32
ComboFix-quarantined-files.txt 2009-05-13 21:31
ComboFix2.txt 2009-04-29 13:17
ComboFix3.txt 2009-04-25 01:09

Pre-Run: 76,318,990,336 bytes free
Post-Run: 76,641,648,640 bytes free

508

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:12 PM, on 5/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Altec Lansing\AMS\ALServ.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Rhapsody\rhaphlpr.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {527911CB-7F4A-42DA-AAAD-E9F00B026C6D} - C:\WINDOWS\system32\btde.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219371676296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8625 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 14 May 2009 - 09:23 AM

Hello,

Umm.....no. You obviously didn't follow my directions at all.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Now get a fresh one so it will run right, and only run it once. :thumbup2:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 14 May 2009 - 09:58 AM

My apologies! Didn't understand had to start with a fresh download. I wondered why it came up in a degraded mode. Thank you much for getting me back on track.

I also ran Malwarebytes. Not sure if that is of value, but I included that log just below.

Thank you again for the help!!!!!!!!!

:thumbup2:

Malwarebytes' Anti-Malware 1.36
Database version: 2035
Windows 5.1.2600 Service Pack 2

5/14/2009 10:52:56 AM
mbam-log-2009-05-14 (10-52-47).txt

Scan type: Quick Scan
Objects scanned: 77599
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{527911cb-7f4a-42da-aaad-e9f00b026c6d} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{527911cb-7f4a-42da-aaad-e9f00b026c6d} (Trojan.BHO.H) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\btde.dll (Trojan.BHO.H) -> No action taken.
C:\Documents and Settings\Paul\Local Settings\Temp\tkxjojmd.dat (Rootkit.Agent) -> No action taken.













ComboFix 09-05-13.02 - Paul 05/14/2009 10:27.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.304 [GMT -4:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\btde.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-13 01:36 . 2009-05-13 01:36 -------- d-----w c:\program files\Trend Micro
2009-05-06 00:12 . 2009-05-06 00:12 -------- d-----w c:\program files\Citrix
2009-05-06 00:11 . 2009-05-06 00:11 60744 ----a-w c:\documents and settings\Paul\g2mdlhlpx.exe
2009-05-04 04:08 . 2009-05-04 04:08 -------- d-----w c:\program files\CCleaner
2009-05-02 13:44 . 2009-05-02 16:25 -------- d-----w C:\BARBIE_MERMAIDIA
2009-04-30 02:39 . 2006-08-25 15:45 617472 -c----w c:\windows\system32\dllcache\comctl32.dll
2009-04-30 02:38 . 2006-04-20 11:51 359808 -c----w c:\windows\system32\dllcache\tcpip.sys
2009-04-30 02:37 . 2007-06-26 06:08 1104896 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-30 02:37 . 2006-08-14 10:34 332928 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-30 02:36 . 2006-05-19 12:59 111616 -c----w c:\windows\system32\dllcache\dhcpcsvc.dll
2009-04-30 02:36 . 2006-05-19 12:59 94720 -c----w c:\windows\system32\dllcache\iphlpapi.dll
2009-04-30 02:36 . 2007-03-08 15:36 40960 -c----w c:\windows\system32\dllcache\mf3216.dll
2009-04-30 02:36 . 2007-03-08 13:47 1843584 -c----w c:\windows\system32\dllcache\win32k.sys
2009-04-30 02:35 . 2007-07-09 13:09 584192 -c----w c:\windows\system32\dllcache\rpcrt4.dll
2009-04-30 02:34 . 2006-06-14 08:47 6400 -c----w c:\windows\system32\dllcache\splitter.sys
2009-04-30 02:34 . 2006-06-14 08:47 172416 -c----w c:\windows\system32\dllcache\kmixer.sys
2009-04-30 02:34 . 2006-06-14 09:00 82944 -c----w c:\windows\system32\dllcache\wdmaud.sys
2009-04-30 02:34 . 2007-04-16 15:52 984576 -c----w c:\windows\system32\dllcache\kernel32.dll
2009-04-30 02:32 . 2007-02-05 20:17 185344 -c----w c:\windows\system32\dllcache\upnphost.dll
2009-04-30 02:30 . 2006-12-26 13:07 536576 -c----w c:\windows\system32\dllcache\msado15.dll
2009-04-30 02:30 . 2006-12-26 13:07 102400 -c----w c:\windows\system32\dllcache\msjro.dll
2009-04-30 02:30 . 2006-12-26 13:07 180224 -c----w c:\windows\system32\dllcache\msadomd.dll
2009-04-30 02:30 . 2006-12-26 13:07 200704 -c----w c:\windows\system32\dllcache\msadox.dll
2009-04-30 02:29 . 2006-10-12 14:02 42496 -c----w c:\windows\system32\dllcache\agentdp2.dll
2009-04-30 02:29 . 2006-10-12 11:09 256512 -c----w c:\windows\system32\dllcache\agentsvr.exe
2009-04-30 02:27 . 2006-10-19 13:56 713216 -c----w c:\windows\system32\dllcache\sxs.dll
2009-04-30 02:27 . 2007-05-17 11:28 549376 -c----w c:\windows\system32\dllcache\oleaut32.dll
2009-04-30 02:26 . 2006-10-13 10:23 163584 -c----w c:\windows\system32\dllcache\nwrdr.sys
2009-04-30 02:26 . 2006-10-13 12:35 65536 -c----w c:\windows\system32\dllcache\nwwks.dll
2009-04-30 02:26 . 2006-10-13 12:35 142336 -c----w c:\windows\system32\dllcache\nwprovau.dll
2009-04-30 02:26 . 2006-12-14 13:45 981760 -c----w c:\windows\system32\dllcache\mfc42u.dll
2009-04-30 02:25 . 2006-12-19 21:52 134656 -c----w c:\windows\system32\dllcache\shsvcs.dll
2009-04-30 02:25 . 2006-12-19 21:52 8453632 -c----w c:\windows\system32\dllcache\shell32.dll
2009-04-30 02:25 . 2007-02-28 09:08 2136064 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-30 02:25 . 2007-02-28 09:10 2180352 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-30 02:25 . 2007-02-28 08:38 2015744 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-30 02:25 . 2007-02-28 08:38 2057600 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-30 02:23 . 2006-08-16 09:37 225664 -c----w c:\windows\system32\dllcache\tcpip6.sys
2009-04-30 02:23 . 2006-08-16 11:58 100352 -c----w c:\windows\system32\dllcache\6to4svc.dll
2009-04-30 02:23 . 2006-12-19 18:16 333824 -c----w c:\windows\system32\dllcache\wiaservc.dll
2009-04-30 02:22 . 2006-03-17 00:38 28672 ------w c:\windows\system32\verclsid.exe
2009-04-30 02:22 . 2006-11-27 14:54 433152 -c----w c:\windows\system32\dllcache\riched20.dll
2009-04-30 02:22 . 2006-11-27 14:54 539136 -c----w c:\windows\system32\dllcache\msftedit.dll
2009-04-30 02:21 . 2007-06-19 13:31 282112 -c----w c:\windows\system32\dllcache\gdi32.dll
2009-04-30 02:20 . 2006-05-05 09:47 174592 -c----w c:\windows\system32\dllcache\rdbss.sys
2009-04-30 02:20 . 2006-05-05 09:41 453120 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-30 02:19 . 2007-04-25 14:21 144896 -c----w c:\windows\system32\dllcache\schannel.dll
2009-04-30 02:19 . 2006-06-26 17:37 8192 -c----w c:\windows\system32\dllcache\rasadhlp.dll
2009-04-30 02:19 . 2006-06-26 17:37 148480 -c----w c:\windows\system32\dllcache\dnsapi.dll
2009-04-30 02:18 . 2007-03-17 13:43 292864 -c----w c:\windows\system32\dllcache\winsrv.dll
2009-04-30 02:17 . 2006-06-22 05:06 69120 -c----w c:\windows\system32\dllcache\ciodm.dll
2009-04-30 02:17 . 2006-06-22 05:06 1435648 -c----w c:\windows\system32\dllcache\query.dll
2009-04-30 02:17 . 2006-08-21 12:21 16896 -c----w c:\windows\system32\dllcache\fltlib.dll
2009-04-30 02:17 . 2006-08-21 09:14 23040 -c----w c:\windows\system32\dllcache\fltmc.exe
2009-04-30 02:17 . 2006-08-21 09:14 128896 -c----w c:\windows\system32\dllcache\fltmgr.sys
2009-04-30 02:17 . 2006-06-22 10:47 181248 -c----w c:\windows\system32\dllcache\rasmans.dll
2009-04-30 02:17 . 2004-08-04 04:56 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-30 02:16 . 2007-03-09 13:58 57344 -c----w c:\windows\system32\dllcache\agentdpv.dll
2009-04-30 02:15 . 2006-08-17 12:28 132096 -c----w c:\windows\system32\dllcache\wkssvc.dll
2009-04-30 02:15 . 2006-08-17 12:28 332288 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-30 02:15 . 2006-08-17 12:28 721920 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-30 02:15 . 2006-05-18 05:24 450560 -c----w c:\windows\system32\dllcache\jscript.dll
2009-04-30 02:14 . 2007-05-16 15:12 85504 -c----w c:\windows\system32\dllcache\wabimp.dll
2009-04-30 02:14 . 2007-05-16 15:12 510976 -c----w c:\windows\system32\dllcache\wab32.dll
2009-04-30 02:14 . 2007-05-16 15:12 86528 -c----w c:\windows\system32\dllcache\directdb.dll
2009-04-30 02:14 . 2007-08-21 06:15 683520 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-30 02:14 . 2007-05-16 15:12 1314816 -c----w c:\windows\system32\dllcache\msoe.dll
2009-04-30 02:14 . 2009-04-30 02:14 -------- d-----w c:\program files\MSXML 4.0
2009-04-30 02:13 . 2007-06-26 15:13 851968 -c----w c:\windows\system32\dllcache\vgx.dll
2009-04-29 04:03 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-29 04:03 . 2009-02-20 18:09 268288 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-29 04:03 . 2009-02-20 10:20 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-29 04:03 . 2009-02-20 18:09 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-29 04:03 . 2009-02-20 18:09 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-29 04:03 . 2008-07-09 14:25 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-29 04:03 . 2009-02-20 18:09 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-29 04:03 . 2009-02-20 18:09 6066176 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-24 22:48 . 2009-04-25 00:01 -------- d-----w C:\VundoFix Backups
2009-04-22 17:02 . 2009-04-22 18:12 15392 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-22 17:02 . 2009-04-22 18:12 439072 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-22 16:53 . 2009-04-22 16:53 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-22 16:53 . 2009-04-22 17:35 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-22 16:50 . 2009-04-22 16:50 -------- d-----w c:\documents and settings\Paul\Local Settings\Application Data\Downloaded Installations
2009-04-22 14:11 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-22 14:11 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 14:11 . 2009-04-22 14:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 23:49 . 2009-04-16 23:49 -------- d-----w c:\documents and settings\Paul\Local Settings\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 14:32 . 2008-08-21 16:25 1536 ----a-w c:\windows\system32\TrueSoft.dat
2009-05-14 14:32 . 2009-01-10 00:22 -------- d-----w c:\program files\DNA
2009-05-14 14:31 . 2009-04-22 18:11 45 ----a-w c:\windows\system32\drivers\RemoveAny.log
2009-05-05 17:35 . 2009-02-08 20:07 -------- d-----w c:\program files\Coupons
2009-04-23 20:49 . 2009-03-06 19:00 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-23 20:48 . 2009-03-05 21:48 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-22 18:12 . 2009-04-22 17:02 9044 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-22 18:12 . 2009-04-22 17:02 2516 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-17 19:22 . 2008-10-20 03:40 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-29 18:52 . 2009-03-29 18:52 -------- d-----w c:\program files\Ubisoft
2009-03-26 04:07 . 2008-08-22 16:23 -------- d-----w c:\program files\Wootalyzer
2009-03-20 00:17 . 2008-08-18 06:05 -------- d-----w c:\program files\Common Files\Adobe
2009-03-16 13:59 . 2009-01-02 23:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2006-02-23 12:16 . 2008-08-22 05:25 34048 ----a-w c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2008-08-22 05:25 45056 ----a-w c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{527911CB-7F4A-42DA-AAAD-E9F00B026C6D}]
2006-11-30 02:14 95744 ----a-w c:\windows\system32\btde.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2004-11-02 40960]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Wootalyzer"="c:\program files\Wootalyzer\woot.exe" [2009-03-26 374272]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2009-03-01 1089536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhoneTray"="c:\program files\Traysoft\PhoneTray\PhoneTray.exe" [2008-03-16 441360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-23 516440]
"PV92TRAY"="PV92Tray.exe" - c:\windows\system32\PV92Tray.exe [2003-04-24 135168]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-04-24 180224]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-11-17 753664]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-27 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2008-8-18 565248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei24.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 gsjdynca;gsjdynca;c:\windows\system32\drivers\gsjdynca.sys [8/23/2001 9:00 AM 23424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 5:48 PM 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/18/2008 4:30 PM 77312]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [9/30/2006 6:35 AM 27936]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [9/1/2008 11:13 PM 458820]
S1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [10/30/2008 1:19 PM 11264]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/18/2008 2:02 AM 31592]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [8/18/2008 4:34 PM 3680]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 953168]
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:48]

2009-05-13 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2009-01-18 20:48]

2009-05-14 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2001-08-23 13:00]

2009-05-14 c:\windows\Tasks\Ofc Outlook Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-23 04:56]

2009-05-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-02 20:31]

2009-05-14 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu &4 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms &] - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm &2 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms &[ - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\cimd2vjm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.avsforum.com/avs-vb/archive/index.php/t-562185-p-30.html
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 10:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\nView.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\System32\msimtf.dll
c:\windows\System32\MSCTF.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Logitech\Easy Synchronization\servicestub.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\drwtsn32.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-05-14 10:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-14 14:35
ComboFix2.txt 2009-05-13 21:32

Pre-Run: 76,629,999,616 bytes free
Post-Run: 76,640,432,128 bytes free

283





















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:14 AM, on 5/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {527911CB-7F4A-42DA-AAAD-E9F00B026C6D} - C:\WINDOWS\system32\btde.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219371676296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8801 bytes

Edited by apsinger, 14 May 2009 - 10:01 AM.


#8 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 29 May 2009 - 07:48 AM

Ok, guess the new guys dont have any clout around here! Wish I could have gotten some help, but understand you guys have a zillion and one folks begging help.

I'll go with the reload.

Have a good day.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 09 June 2009 - 11:43 PM

Hello,

I apologize for my abrupt departure. :thumbup2: I've been fighting an infection and it hasn't been pleasant. If you still need help, please let me know. Otherwise I'll close the thread out as solved in the next few days. :)

Thank you for understanding,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 09 June 2009 - 11:53 PM

Sorry to hear that Teacup61!!! You take care of yourself! :thumbup2: Appreciate you taking the time to respond!

I've just not had time to reload this PC as of yet. Kept hoping I'd figure this out before having to go to that length. When you get better, would welcome any thoughts. No worries though either way.

Thanks and hope you get better soon!

apsinger

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 10 June 2009 - 12:00 AM

I'm here now....and much better, thank you. :step4:

How is it running now? In the last MBAM report it shows no action taken.......did you let it clean everything after you copied it to post here?

About ComboFix, no apologies necessary, but you see it did find what we were looking for when you got a fresh download. It's a built in safety feature sUBs uses to help keep ComboFix safe. :step1: Since it's been all this time (I'm so sorry :) ) we'll need to do that again.....delete ComboFix and Qoobox and get a fresh one, especially since we'll need to do more with it as it could not delete that bad file. Go ahead and run the new ComboFix and post the report when you're ready.

One last thing......I do hope you now realize that it isn't because you are the "new guy" that you weren't answered. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 10 June 2009 - 05:01 PM

Hello,
Ok, did new combofix and new hijack this. I'm not sure what I've got going at this point as far as viruses. I had turned off my programs to do this trouble shooting. Suppose I need to turn them back on soon. I have not run malwarebytes recently. That was showing me the ugly viruses that started me down this path some time back. Thanks for your thoughts on how I look now.




ComboFix 09-06-09.06 - Paul 06/10/2009 17:45.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.531 [GMT -4:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFixJune10.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 21:38 . 2009-06-10 21:42 -------- d-s---w- C:\ComboFix
2009-06-05 11:45 . 2009-06-05 11:45 -------- d-----w- c:\program files\Apple Software Update
2009-06-05 11:44 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-05 11:44 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-05 11:44 . 2009-06-05 11:44 -------- d-----w- c:\program files\iPod
2009-06-05 11:43 . 2009-06-05 11:44 -------- d-----w- c:\program files\iTunes
2009-06-05 11:43 . 2009-06-05 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 11:43 . 2009-06-05 11:43 -------- d-----w- c:\program files\Bonjour
2009-06-05 11:42 . 2009-06-05 11:43 -------- d-----w- c:\program files\QuickTime
2009-06-05 11:42 . 2009-06-05 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-05 11:38 . 2009-06-05 11:43 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 11:36 . 2009-06-05 11:36 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-21 23:11 . 2009-05-21 23:11 -------- d-----w- c:\program files\KingsIsle Entertainment
2009-05-21 02:26 . 2004-03-22 20:17 24816 ----a-w- c:\windows\system32\mdimon.dll
2009-05-21 02:24 . 2009-05-21 02:24 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-21 02:23 . 2009-05-21 02:24 -------- d-----w- c:\windows\SHELLNEW
2009-05-21 02:23 . 2009-05-21 02:23 -------- d-----w- c:\program files\Microsoft.NET
2009-05-13 01:36 . 2009-05-13 01:36 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 21:46 . 2008-09-18 13:37 -------- d-----w- c:\documents and settings\Paul\Application Data\WeatherWatcher
2009-06-10 21:41 . 2009-01-10 00:22 -------- d-----w- c:\documents and settings\Paul\Application Data\DNA
2009-06-10 21:31 . 2008-08-21 16:25 1536 ----a-w- c:\windows\system32\TrueSoft.dat
2009-06-10 21:31 . 2009-01-10 00:22 -------- d-----w- c:\program files\DNA
2009-06-10 21:31 . 2009-04-22 18:11 45 ----a-w- c:\windows\system32\drivers\RemoveAny.log
2009-06-05 12:24 . 2009-02-06 22:51 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer
2009-05-23 12:42 . 2008-11-30 17:47 -------- d-----w- c:\documents and settings\Paul\Application Data\Move Networks
2009-05-21 23:11 . 2008-08-22 03:39 67072 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 23:11 . 2008-08-18 02:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-06 00:12 . 2009-05-06 00:12 -------- d-----w- c:\program files\Citrix
2009-05-06 00:11 . 2009-05-06 00:11 60744 ----a-w- c:\documents and settings\Paul\g2mdlhlpx.exe
2009-05-05 17:35 . 2009-02-08 20:07 -------- d-----w- c:\program files\Coupons
2009-05-02 16:29 . 2008-09-02 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-30 02:14 . 2009-04-30 02:14 -------- d-----w- c:\program files\MSXML 4.0
2009-04-23 20:48 . 2009-04-23 20:48 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-23 20:48 . 2009-03-05 21:48 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-22 18:12 . 2009-04-22 17:02 9044 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-04-22 18:12 . 2009-04-22 17:02 439072 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-04-22 18:12 . 2009-04-22 17:02 2516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-04-22 18:12 . 2009-04-22 17:02 15392 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-04-22 17:35 . 2009-04-22 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-22 17:30 . 2009-01-10 00:22 -------- d-----w- c:\documents and settings\Paul\Application Data\BitTorrent
2009-04-22 16:53 . 2009-04-22 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-22 14:11 . 2009-04-22 14:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 19:22 . 2008-10-20 03:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-06 19:32 . 2009-04-22 14:11 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-22 14:11 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2006-02-23 12:16 . 2008-08-22 05:25 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2008-08-22 05:25 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-06-10_13.51.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 21:31 . 2009-06-10 21:31 16384 c:\windows\Temp\Perflib_Perfdata_84c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2004-11-02 40960]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Wootalyzer"="c:\program files\Wootalyzer\woot.exe" [2009-03-26 374272]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2009-03-01 1089536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhoneTray"="c:\program files\Traysoft\PhoneTray\PhoneTray.exe" [2008-03-16 441360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-28 518488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"PV92TRAY"="PV92Tray.exe" - c:\windows\system32\PV92Tray.exe [2003-04-24 135168]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-04-24 180224]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-11-17 753664]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-27 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2008-8-18 565248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei24.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 5:48 PM 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/18/2008 4:30 PM 77312]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [9/30/2006 6:35 AM 27936]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [9/1/2008 11:13 PM 458820]
S1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [10/30/2008 1:19 PM 11264]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/18/2008 2:02 AM 31592]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [8/18/2008 4:34 PM 3680]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1005904]
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:48]

2009-06-10 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2009-01-18 20:48]

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-04 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2001-08-23 13:00]

2009-06-09 c:\windows\Tasks\Ofc Outlook Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-23 04:56]

2009-06-10 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-02 20:31]

2009-06-10 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu &4 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms &] - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm &2 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms &[ - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\cimd2vjm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.avsforum.com/avs-vb/archive/index.php/t-562185-p-30.html
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 17:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\nView.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Lavasoft\Ad-Aware\ShellExt.dll
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll
c:\windows\system32\browselc.dll
c:\program files\Siber Systems\AI RoboForm\RoboForm.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2009-06-10 17:52
ComboFix-quarantined-files.txt 2009-06-10 21:52
ComboFix2.txt 2009-06-10 19:02
ComboFix3.txt 2009-06-10 13:51
ComboFix4.txt 2009-05-14 14:35
ComboFix5.txt 2009-06-10 21:45

Pre-Run: 74,352,701,440 bytes free
Post-Run: 74,356,101,120 bytes free

217























Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:30 PM, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219371676296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9542 bytes

#13 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 10 June 2009 - 05:01 PM

Hello,
Ok, did new combofix and new hijack this. I'm not sure what I've got going at this point as far as viruses. I had turned off my programs to do this trouble shooting. Suppose I need to turn them back on soon. I have not run malwarebytes recently. That was showing me the ugly viruses that started me down this path some time back. Thanks for your thoughts on how I look now.




ComboFix 09-06-09.06 - Paul 06/10/2009 17:45.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.531 [GMT -4:00]
Running from: c:\documents and settings\Paul\Desktop\ComboFixJune10.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 )))))))))))))))))))))))))))))))
.

2009-06-10 21:38 . 2009-06-10 21:42 -------- d-s---w- C:\ComboFix
2009-06-05 11:45 . 2009-06-05 11:45 -------- d-----w- c:\program files\Apple Software Update
2009-06-05 11:44 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-05 11:44 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-06-05 11:44 . 2009-06-05 11:44 -------- d-----w- c:\program files\iPod
2009-06-05 11:43 . 2009-06-05 11:44 -------- d-----w- c:\program files\iTunes
2009-06-05 11:43 . 2009-06-05 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 11:43 . 2009-06-05 11:43 -------- d-----w- c:\program files\Bonjour
2009-06-05 11:42 . 2009-06-05 11:43 -------- d-----w- c:\program files\QuickTime
2009-06-05 11:42 . 2009-06-05 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-05 11:38 . 2009-06-05 11:43 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 11:36 . 2009-06-05 11:36 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-21 23:11 . 2009-05-21 23:11 -------- d-----w- c:\program files\KingsIsle Entertainment
2009-05-21 02:26 . 2004-03-22 20:17 24816 ----a-w- c:\windows\system32\mdimon.dll
2009-05-21 02:24 . 2009-05-21 02:24 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-21 02:23 . 2009-05-21 02:24 -------- d-----w- c:\windows\SHELLNEW
2009-05-21 02:23 . 2009-05-21 02:23 -------- d-----w- c:\program files\Microsoft.NET
2009-05-13 01:36 . 2009-05-13 01:36 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 21:46 . 2008-09-18 13:37 -------- d-----w- c:\documents and settings\Paul\Application Data\WeatherWatcher
2009-06-10 21:41 . 2009-01-10 00:22 -------- d-----w- c:\documents and settings\Paul\Application Data\DNA
2009-06-10 21:31 . 2008-08-21 16:25 1536 ----a-w- c:\windows\system32\TrueSoft.dat
2009-06-10 21:31 . 2009-01-10 00:22 -------- d-----w- c:\program files\DNA
2009-06-10 21:31 . 2009-04-22 18:11 45 ----a-w- c:\windows\system32\drivers\RemoveAny.log
2009-06-05 12:24 . 2009-02-06 22:51 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer
2009-05-23 12:42 . 2008-11-30 17:47 -------- d-----w- c:\documents and settings\Paul\Application Data\Move Networks
2009-05-21 23:11 . 2008-08-22 03:39 67072 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 23:11 . 2008-08-18 02:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-06 00:12 . 2009-05-06 00:12 -------- d-----w- c:\program files\Citrix
2009-05-06 00:11 . 2009-05-06 00:11 60744 ----a-w- c:\documents and settings\Paul\g2mdlhlpx.exe
2009-05-05 17:35 . 2009-02-08 20:07 -------- d-----w- c:\program files\Coupons
2009-05-02 16:29 . 2008-09-02 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-30 02:14 . 2009-04-30 02:14 -------- d-----w- c:\program files\MSXML 4.0
2009-04-23 20:48 . 2009-04-23 20:48 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-23 20:48 . 2009-03-05 21:48 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-22 18:12 . 2009-04-22 17:02 9044 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-04-22 18:12 . 2009-04-22 17:02 439072 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-04-22 18:12 . 2009-04-22 17:02 2516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-04-22 18:12 . 2009-04-22 17:02 15392 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-04-22 17:35 . 2009-04-22 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-22 17:30 . 2009-01-10 00:22 -------- d-----w- c:\documents and settings\Paul\Application Data\BitTorrent
2009-04-22 16:53 . 2009-04-22 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-04-22 14:11 . 2009-04-22 14:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 19:22 . 2008-10-20 03:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-06 19:32 . 2009-04-22 14:11 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-04-22 14:11 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2006-02-23 12:16 . 2008-08-22 05:25 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2008-08-22 05:25 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-06-10_13.51.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-10 21:31 . 2009-06-10 21:31 16384 c:\windows\Temp\Perflib_Perfdata_84c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2004-11-02 40960]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Wootalyzer"="c:\program files\Wootalyzer\woot.exe" [2009-03-26 374272]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2009-03-01 1089536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-10 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhoneTray"="c:\program files\Traysoft\PhoneTray\PhoneTray.exe" [2008-03-16 441360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Easy Synchronization"="c:\program files\Logitech\Easy Synchronization\LogitechEasySync.exe" [2005-10-05 53248]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-28 518488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"PV92TRAY"="PV92Tray.exe" - c:\windows\system32\PV92Tray.exe [2003-04-24 135168]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2003-04-24 180224]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-11-17 753664]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-10-22 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-27 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2008-8-18 565248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll" [2005-10-05 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winei24.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=c:\windows\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/5/2009 5:48 PM 64160]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [8/18/2008 4:30 PM 77312]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [9/30/2006 6:35 AM 27936]
R3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [9/1/2008 11:13 PM 458820]
S1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [10/30/2008 1:19 PM 11264]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/18/2008 2:02 AM 31592]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [8/18/2008 4:34 PM 3680]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1005904]
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 20:48]

2009-06-10 c:\windows\Tasks\Ad-Aware.job
- c:\progra~1\Lavasoft\Ad-Aware\Ad-Aware.exe [2009-01-18 20:48]

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-04 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2001-08-23 13:00]

2009-06-09 c:\windows\Tasks\Ofc Outlook Backup.job
- c:\windows\system32\ntbackup.exe [2001-08-23 04:56]

2009-06-10 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-02 20:31]

2009-06-10 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-01-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Customize Menu &4 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms &] - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm &2 - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms &[ - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\cimd2vjm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.avsforum.com/avs-vb/archive/index.php/t-562185-p-30.html
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 17:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\nView.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Lavasoft\Ad-Aware\ShellExt.dll
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\program files\Logitech\Easy Synchronization\shellexecutehook.dll
c:\windows\system32\browselc.dll
c:\program files\Siber Systems\AI RoboForm\RoboForm.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2009-06-10 17:52
ComboFix-quarantined-files.txt 2009-06-10 21:52
ComboFix2.txt 2009-06-10 19:02
ComboFix3.txt 2009-06-10 13:51
ComboFix4.txt 2009-05-14 14:35
ComboFix5.txt 2009-06-10 21:45

Pre-Run: 74,352,701,440 bytes free
Post-Run: 74,356,101,120 bytes free

217























Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:30 PM, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PhoneTray] C:\Program Files\Traysoft\PhoneTray\PhoneTray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wootalyzer] C:\Program Files\Wootalyzer\woot.exe
O4 - HKCU\..\Run: [WeatherWatcher] "C:\Program Files\Weather Watcher\ww.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219371676296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9542 bytes

#14 apsinger

apsinger
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 10 June 2009 - 10:36 PM

You know, I think I'm clean! Ran malwarebytes and the usual culprits were not there! I'm excited, but not sure why this worked this time when it didn't previously?? PC definitely seems to be running better.....

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 10 June 2009 - 11:43 PM

Hi there,

There's no telling.....sometimes when you do things a first time it's just enough to shake things loose, then when you go back and do it again it can clean it. Is MBAM coming up totally clean now? You said not the usual suspects, but that doesn't necessarily mean clean. :) Plus you ran the new version of ComboFix, so that could have made a difference too.

Let me know about MBAM. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users